[Snort-users] Snort portscan false positives?

Erek Adams erek at ...577...
Wed Oct 9 13:01:03 EDT 2002

On 9 Oct 2002, Felipe Alfaro Solana wrote:

> I'm net to Snort and IDS... I'm curious to know what's passing through
> my ADSL router, so I installed SNORT on an old spare computer. I own a
> 3Com OfficeConnect 812 ADSL router... it's discontinued but works pretty
> fine. It's an ADSL router and a 4-port hub, so I hooked up my old
> computer to one of the ports of the router so I could analyze all the
> traffic coming in/going out from/to the Internet.


> So, based on the previous information, it seems that my web browser is
> connecting to an Internet host to download content (JPG, GIF, etc) very
> very fast, using new connections and thus, with sequentially increasing
> source ports. It seems that SNORT is taking this connections as a
> portscan attempt, but I think this is my web browser opening and closing
> HTTP connections against the web site very very fast. Also, since
> Internet source port is always 80, this leads me to think it's simply a
> lot of HTTP traffic coming and going between my Web browser and the Web
> site.

When you fire up a socket to talk, it (usually) gets a 'random' port number.
Some OS'es will increment by one, others randomize a bit more.  So what you're
seeing is 'normal' in the way it works.  And as to how NAT works, keep in mind
that your router does the NAT (well actually PAT).  And your snort box and
your workstation are 'behind' the router so the packets have already been
'un-NATed' when you read them.  If you were in "front" of the NAT box, you
would see what you were expecting.

The reason that portscan2 is flagging that as a scan is there are 'more than
x connections to y targets.'  Since ps2 has no idea of what your HOME_NET is,
it sees the connections and flags them, even though they are coming from you.

Just define portscan2-ignorehosts with your IP and all should be well.


Erek Adams

More information about the Snort-users mailing list