Intermittent IDS Alerts for "Portscan", "Portsweep"...

PaulHenry
Here to help

Intermittent IDS Alerts for "Portscan", "Portsweep"...

Environment:

We are running MX-250 with firmware MX 15.25.  IDS is on with mode "Prevention" and ruleset "Security"

We are using Lansweeper across our network to manage our PCs.

 

Problem:

Sometimes the IDS reports on "Filtered Portscan", "Filtered Distributed Protocol Scan", "Filtered Portsweep" and others.  All are listed as "Allowed", even though our mode is "Prevention".

 

I am happy to see these in the reports, so that I can verify that these portscans are appropriate, but why did it just start recently and why does it seem to be intermittent?

 

Any ideas?

 

Thanks, and stay healthy everyone.

 

 

 

3 REPLIES 3
BrechtSchamp
Kind of a big deal

Does the Lansweeper run on a specific server? If yes, is that server listed as the source or destination of the IDS events?

Yes, it runs on a specific server and I can see that as the source of the IDS events.

 

The problem is that it is intermittent.  I have never seen portscan events before in the IDS and I do not see these consistently.  They appear in massive numbers occasionally, but not always.

 

We run port scans all the time, but they only appear in the IDS sometimes.

 

The reason why they're still getting through is likely because of the configuration details of sfportscan in the MX. The problem with IDS in Meraki is that it isn't very finetunable and details like this are also not documented.

 

Why they're intermittent, I'm not sure. Maybe the scans Lansweeper does have an element of randomness, and maybe sfportscan behaves differently when the first IP/service/whatever scanned results in a positive result rather than negative.

 

More info about sfportscan here:

https://www.snort.org/faq/readme-sfportscan

 

I wouldn't worry too much about it as you know the result is legitimate and the threat isn't.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels