We recently added a bunch of IPS to our internal networks (we originally only had them on the perimeter). Since we implemented these IPS (running 5.x), we have seen a massive increase in the number of TCP SYN Host Sweeps.
I looked a little further into the traffic, and it appears a lot of it is traffic to port 80 on external addresses (I'm guessing its websites with ads, etc. that are causing most of these ones).
However, there are a great deal of connections going to seemingly arbitrary ports to many different network ranges. The part that worries me the most is that a lot of the SYN sweeps go to internal AND external addresses.
I have been unable to determine the exact cause of the SYN sweeps but it appears that a majority of our clients are doing it.
I am only an intern, so my knowledge (and access to such knowledge) is rather limited.
I was wondering if anyone had any similar experiences? If so, is there a good way to weed out the false positives from the potentially important alerts?
We use Intellitactics NSM as our SEM and it works very well for our environment (because it is very programmable and we love to tinker).
I can't remember the exact changes we've made but this is what we have:
#sh conf | begin 3030
signatures 3030 0
The part of this signature that works for us is our platform (NSM) will create an alert when we see 100 of these signatures within a specific time period. That lets us know that some time of scanning is ongoing (note that busy HTTP, DNS, & FTP servers will trigger this sig on return traffic so filtering & profiling is important).