Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
2
Replies

False Negative detect for port scan against TCP 1433

crossmanj
Level 1
Level 1

‎05-22-2002 07:00 AM - edited ‎03-08-2019 10:43 PM

I am very disappointed today in my NetRangers, and I'm writing y'all to help me regain some sense of trust in them. As y'all know, we call a false positive any situation when the NetRangers trigger a detect that is incorrect or false. And like I tell my students, these can be annoying, but it's the false negative responses that will kill you. These are the times that the NetRanger sits there idly while an attack flows right past it.

Yesterday, during the SQLsnake worm's run, I had a false negative detect on TCP port 1433 scans. I would have thought - and in fact explained to my management and customers - that the NetRangers could detect a port scan for port 1433. Specifically, I was thinking of signature 3030, which yesterday continued to detect the usual ports 111, 80, 25, 22, etc scans - but were completely silent as port scan after port scan was run against my network, looking for port 1433. To make matters worse, a customer's system was infected by the worm, and it had port-scanned tens of thousands of hosts as fast as it could push the bits out (the worm triggers 100 threads of port scanning activity) - and today my IDS still shows no detected activity against port 1433.

I am using a Sniffer and manually checking it for details on this new worm. I don't expect y'all to detect events that you don't have signatures developed for, but when a worm uses port scanning to find a target and y'all can't see that port scan - then that is a failure at the most basic level of an IDS.

I have a TAC case open - just in case I'm missing something. I have a Sniffer looking at the same data as the sensors so I know the sensor sees the traffic. I received other 3030 detects, so I know the sensors and director are working properly. I attempted to stimulate the same sensors and others with nmap scans against port 1433, and still received no data.

I really can't describe how let down I feel. What other port scans are happening that I don't know about? My trust in the NetRanger data it provides has been shaken. How can I trust an IDS that can't detect a port scan? Please help.

Labels:
0 Helpful
2 Replies 2

rsmith
Level 1
Level 1

‎07-05-2002 12:31 PM

Crossmanj,

I have noticed this significantly as well. Did you find anything from TAC?

0 Helpful

jakasper
Level 1
Level 1

‎07-08-2002 08:35 AM

Please see July 7 posting...new engineering release 3.1.3 for service-over-host sweeps.

0 Helpful
Customers Also Viewed These Support Documents