Snort - portscan/Portsweep from WAN interface suddenly



  • Hi!

    Last night after automatically getting latest updates and snort reloading I new alerts from WAN interface started filling logs with portscan triggers where source is my IP and destination - many regular sites (Google, Facebook…).

    I added gen_id 122, sig_id 3/7/23/26 to suppress list for now, but would like to know what might have happened suddenly?
    Shouldn't snort pre-processor ignore alerts if source is my WAN but actually originates from LAN?
    My IP did not change...
    Can something in new rules break it?

    I do not want ignore incoming portscans, but I do not care if is outbound - how avoid snort blocking this?



  • What if you have a compromised host in your network that is port scanning as a precursor to propagating malware? Not interested in that?


  • Moderator

    You can also adjust the sensitivity of the port scanner pre-processor and also add exclusions.



  • @vbentley:

    What if you have a compromised host in your network that is port scanning as a precursor to propagating malware? Not interested in that?

    For that, I have Snort configured on internal interface as well. I think, there was something wrong with Snort rules update that day.



  • I'm seeing the same thing. I just noticed it today, but not sure how long it's been occuring.  I was running Snort rules from Jun 1st and EMThreat rules from Jun 2nd and still seeing problems.  Snort is blocking facebook, google, bing and others.  I forced an update and both rulesets are now dated Jun 2.  We'll see if that fixes it.

    I've always had my portscan sensitivity set to "low" and haven't changed anything with my Snort setup for months.  So hoping it was just a bad batch of rules.