TCP High Port Sweep false positive

mike.sheldon · ‎09-22-2001

We're seeing a ton of false positives for sig 3010 TCP High Port Sweep. We've reviewed the flows in question and they are valid sessions, not attacks. Upon reviewing the details of the event, we see that the according to NetRanger, the source port for the packets are 0 (zero). It appears that NetRanger is unable to match the packet to the outbound session that it's related to. We were thinking there might be a bug that's corrupting the source port during packet capture? Is there a configuration error that can explain this condition?

Thanks for any assistance

klwiley · ‎09-23-2001

This is not an unusual occurrence. A user that connects to a webserver could cause what appears to be a High port sweep directed from the Web Server bound to the client. This is just one instance of the possible ways a benign event can cause this problem. Most often web servers are the benign generators of this alarm.

If you are seeing zero listed as the source port this probably indicates that you are looking at an aggregated alarm notification. This means that you are viewing the results of taking several alarms of this type and lumping them together. When this occurs the source port information of the individualo events are lost (since the alarm is the aggregation of several alarms that probably originated from different source ports).

KLW