Unexpected portscan and portsweep alerts from Symantec Network Security
|Article:TECH112582|||||Created: 2004-01-07|||||Updated: 2005-01-30|||||Article URL http://www.symantec.com/docs/TECH112582|
Symantec Network Security 7100 Series and Symantec Network Security 4.0 show scan and sweep alerts when you have no reason to expect them. The alerts may include the following:
Too Many Out of Order TCP Segments
TCP ACK Portsweep
TCP ACK Portscan
TCP Unusual-flags Portsweep
You may also see other TCP Portscan or TCP Portsweep alerts.
This problem happens when the network has traffic anomalies that are related to TCP sessions. Symantec Network Security reports these anomalies as scan and sweep alerts.
To fix this problem, read each of the following sections for possible causes:
Look for incomplete or duplicated IP addresses and ports
This problem can happen when more than one device on the network has the same port or IP address, or that port or address is incomplete. To check this possibility, examine the ports and IP addresses that are referred to in the alerts to determine which ones are incomplete or are duplicated on the network.
Examine network traffic for packet anomalies
This problem can happen when packets contain anomalies.
To check this possibility, first use the Symantec Network Security snsdump tool to capture packets from network interfaces and record them in a snoop file. You can also use snsdump to capture packets from an interface pool. Then use a network protocol analyzer tool such as Tethereal to analyze the captured traffic.
For more information on how to use the snsdump tool, read Using the re1000gdump and snsdump tool in Symantec Network Security 7100 Series. Snsdump and re1000gdump are the same tool. The tool has been renamed.
Types of packet anomalies
Symantec Network Security can show scan and sweep alerts when the traffic that it monitors is missing packets from a TCP session or has duplicate packets. These problems can be caused by various types of misconfigurations of the network.
For instance, when Symantec Network Security 4.0 is connected to a span port on a switch, a misconfiguration may cause problems that include the following:
Duplicate packets: If that switch spans Rx and Tx of other switch ports, then any traffic that goes from one switch port to another switch port appears twice on the span port. The span port receives duplicate packets, which causes Symantec Network Security 4.0 show to a scan or sweep alert.
Missing packets: If the span port on the switch is overloaded it may drop packets. This results in incomplete TCP sessions, which causes Symantec Network Security 4.0 show to a scan or sweep alert.
Article URL http://www.symantec.com/docs/TECH112582