[Snort-users] Port scans detected behind Firewall?

Matt Kettler mkettler at ...4108...
Mon Jun 13 14:21:32 EDT 2005

James Bruce wrote:
> Hello,
> 	I'm not sure this is the right place to ask this but I have a
> another newb question. I don't fully understand how this is happening.
> We have a Cisco pix 515 firewall, with all incoming ports closed and
> some outbound ports open (80,25 etc..) We also have snort and squid
> installed on a W2K server with a single interface behind the firewall.
> All network users use the squid proxy for internet access. Snort is
> picking up port scans from outside ip addresses. My question is how are
> these sites port scanning my proxy server? I know some of these port
> scans are from audio streaming sites looking for a hole but shouldn't
> the firewall stop these port scans from reaching the proxy?? I'm sure
> I'm missing something simple here. Please post your thoughts. Thank you
> James
> Here is the snort log: is our proxy. Snort's threshold value
> for # or ports is set to 20.

Unfortunately in my experience portscan2 has a big problem distinguishing
between a port scan and a client opening a website with a lot of images when you
start dropping packets. Use kill -USR1 to force snort to log it's stats and
check your packet drop rate. If you want to use portscan2 without lots FPs, that
number has to be very close to 0%.

If it misses the outgoing syn's portscan2 often sees all the syn-acks coming
back from the webserver as a syn-ack scan, instead of responses to legitimate

That explains the TCP scans being sourced from port 80. You can verify it
yourself, pick any website with a lot of images on it and you should trigger a
"scan" as soon as you open it.

The same basic effect happens with DNS lookups, but they show up as being UDP
packets sourced from port 53.

More information about the Snort-users mailing list