Hi, These false positives are common in internal networks if no tuning has been done.
The Readme.sfportscan file within the doc/ directory of the snort distribution contains information on how to interpret these results and how to fine tune this module. Regards, Omar Herrera > -----Original Message----- > From: Isidro Catalán Ramos > > Hi list, > > We have Snort 2.4.4 and in the logs appear a lot of Port Scan traffic of > this type: > > (portscan) TCP Portsweep > (portscan) ICMP Sweep > (portscan) UDP Portsweep > (portscan) Open Port > > And the payload of this alerts is like the above: > > Payload (ASCII): > Priority Count: 5.Co > nnection Count: 4.IP > Count: 14.Scanned I > P Range: 192.168.1.9 > :65.54.171.28.Port/ > Proto Count: 8.Port/ > Proto Range: 80:3410 > . > > This alerts come from a lot of our network computers but they seems to > be clean of spyware, worms, etc... > > We need to know if this is a false posivite or we have a problem in our > LAN. > > Tanks! > -- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
