Symantec Network Security 7100 Series and Symantec Network Security 4.0 show scan and sweep alerts when you have no reason to expect them. The alerts may include the following:
Too Many Out of Order TCP Segments
TCP ACK Portsweep
TCP ACK Portscan
TCP Unusual-flags Portsweep
You may also see other TCP Portscan or TCP Portsweep alerts.
This problem happens when the network has traffic anomalies that are related to TCP sessions. Symantec Network Security reports these anomalies as scan and sweep alerts.
To fix this problem, read each of the following sections for possible causes:
Look for incomplete or duplicated IP addresses and ports This problem can happen when more than one device on the network has the same port or IP address, or that port or address is incomplete. To check this possibility, examine the ports and IP addresses that are referred to in the alerts to determine which ones are incomplete or are duplicated on the network.
Examine network traffic for packet anomalies This problem can happen when packets contain anomalies.
To check this possibility, first use the Symantec Network Security snsdump tool to capture packets from network interfaces and record them in a snoop file. You can also use snsdump to capture packets from an interface pool. Then use a network protocol analyzer tool such as Tethereal to analyze the captured traffic.
Symantec Network Security can show scan and sweep alerts when the traffic that it monitors is missing packets from a TCP session or has duplicate packets. These problems can be caused by various types of misconfigurations of the network.
For instance, when Symantec Network Security 4.0 is connected to a span port on a switch, a misconfiguration may cause problems that include the following:
Duplicate packets: If that switch spans Rx and Tx of other switch ports, then any traffic that goes from one switch port to another switch port appears twice on the span port. The span port receives duplicate packets, which causes Symantec Network Security 4.0 show to a scan or sweep alert.
Missing packets: If the span port on the switch is overloaded it may drop packets. This results in incomplete TCP sessions, which causes Symantec Network Security 4.0 show to a scan or sweep alert.
Imported Document Id
This is machine translated content
Login to Subscribe
Please login to set up your subscription.
Didn't find the article you were looking for? Try these resources.