03-30-2007 02:51 AM - edited 03-10-2019 03:32 AM
Hi everyone,
I have configured lab environment with ASA5520 and ASA-SSM-10 (IPS).
ASA5520 works as ADSL router and only PAT is configured for address translation on
outside interface of ASA5520 and ASA5520 works as DHCP server for inside interface
to distribute addresses of inside users.
- PAT configuration on ASA5520
global (outside) 1 interface
nat (inseide) 1 172.16.0.0 255.255.0.0
- DHCP configuration on ASA5520
dhcpd address 172.16.1.1-172.16.1.240 inseide
By default, signature 3030 TCP SYN Host Sweep is enabled on ASA-SSM-10 (IPS).
And ASA-SSM-10 (IPS) detects TCP SYN Host Sweep sometimes in my lab.
The TCP SYN Host Sweep shows that the attackers are inside users and targets are outside
(internet) servers.
The following is the detail of TCP SYN Host Sweep.
----------
evIdsAlert: eventId=1131140605648593458 vendor=Cisco severity=informational alarmTraits=2147483648
originator:
hostId: ASA-IPS
appName: sensorApp
appInstanceId: 341
time: 2007/03/30 7:49:38 UTC offset=540 timeZone=GMT+09:00
signature: description=TCP SYN Host Sweep id=3030 version=S2
subsigId: 0
interfaceGroup:
vlan: 0
participants:
attacker:
addr: 172.16.1.28 locality=OUT
port: 1133
target:
addr: xxx.xxx.xxx.xxx locality=OUT
target:
addr: xxx.xxx.xxx.xxx locality=OUT
target:
addr: xxx.xxx.xxx.xxx locality=OUT
target:
addr: xxx.xxx.xxx.xxx locality=OUT
target:
addr: xxx.xxx.xxx.xxx locality=OUT
target:
addr: xxx.xxx.xxx.xxx locality=OUT
target:
addr: xxx.xxx.xxx.xxx locality=OUT
target:
addr: xxx.xxx.xxx.xxx locality=OUT
actions:
ipLoggingActivated: true
logAttackerPacketsActivated: true
logPairPacketsActivated: true
snmpTrapRequested: true
ipLogIds:
ipLogId: 1701737076
ipLogId: 1701737077
riskRatingValue: 21
interface: ge0_1
protocol: tcp
----------
I understand the TCP SYN Host Sweep occurred when the packets ASA-SSM-10 received
are met the following condition at same time.
One source IP address
Two of more destination IP address
Same destination port
And I also understand the ASA5520 sends/diverts packets to the ASA-SSM-10 (IPS)
after PAT and just before the packet exits the egress interface.
I configured ASA5520 to send/divert packets to the AIP SSM is as follows
access-list MatchAllTraffic extended permit ip any any
class-map AllTrafficSendToAIPSSM
match access-list MatchAllTraffic
policy-map SendToAIPSSM
class AllTrafficSendToAIPSSM
ips inline fail-open
service-policy SendToAIPSSM global
I apply the policy map to traffic on all the interfaces by using the global keyword.
I think my ASA-SSM-10 (IPS) detects TCP SYN Host Sweep like as false positive and not
the problem because I think my ASA-SSM-10 (IPS) receives the following packets on my lab.
Source IP address:
Always the IP address of ASA5520's outside interface address because of PAT
Destination IP addresses
More
Destination port:
HTTP (80)
Is my understanding true ?
If so, should I disable TCP SYN Host Sweep signature in my case ?
Please let me know any comments about this.
Your information would be appreciated.
Best regards,
04-05-2007 10:20 AM
This will be a normal signature to see triggered if you are watching outbound traffic from your internal network. As long as the source of the traffic is your internal hosts, and the destination is external hosts, this is likely just normal behavior.
This signature triggers when a single host sends TCP SYN packets to a number of different hosts, perhaps because of multiple web sessions going, or pop-up windows while web surfing.
Check this bug-id:CSCsh94361
04-05-2007 06:33 PM
Hi,
Thank you very much for your reply.
I understand it.
Best regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide