TCP FIN Host Sweep

Unanswered Question

Hello Guys,

I need help here. We are getting numerous number of incident in one of our CS-MARS regarding Scans-Stealth system rule. This rule triggered by event type TCP FIN Host Sweep. The source ip's were internal our network and destined to external ip's of telco and other sites. One of the notable site is I'm just wondering what causing these alerts to trigger, P2P or streaming?

According to this signature

TCP FIN Host Sweep

Benign Trigger(s):

The host sweep signatures 3030 and 3032 detect behaviors that should not be observed from sources outside the local network but are normal behaviors for sources from within the local network.

Recommended filters:

Exclude internal networks as sources.

Based on the signature this alert is not malicious unless the source ip is external. So, is it ok to tune this out or leave it and then always monitor? Sometimes it's quite annoying though.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andrgrif Tue, 06/24/2008 - 16:25


Without more information it's hard to say why the alerts are being triggered, but in general, network scanning or p2p could easily trigger (internal -> external) trigger those signatures.

Tuning those signatures would be an appropriate course of action in my opinion.

sporcello Wed, 06/25/2008 - 06:50

We are having the same issue, except with the TCP SYN Host Sweep (3030) alert. The signature explanation page suggests to filter out internal addresses as the source, but we have not for a reason: this is a good way to detect a worm within the network.

What we have done in the past is tune the threshold that triggers the signature. However with E2 engine update and signature updates, this signature has begun to fire excessively again. We will probably tune it again by increasing the threshold to a point where it will not give us an excessive amount of alerts.

Farrukh Haroon Wed, 06/25/2008 - 07:19

Yes this is one of the 'chatty' signatures. You can either follow the Cisco recommendation:

Recommended filters:

Exclude internal networks as sources.

Or filter the signature on the IPS to increase the thresholds as others have suggested. But to be honest there are more accurate/better ways to detect worms on IPS 6.x like 'Anomaly Detection' than these signatures (if that is the motivation to not filter internal IPs).



Thank guys for your help. But if we increase the threshold of this signature and filter this out we will not able to detect some P2P activity. We are monitoring schools network and we all know that most of the student use P2P for sharing files. Some of the P2P activity will not resembles a P2P alerts in MARS but most of them trigger this Scans-Stealth rule with event type TCP Fin Host Sweep.




This Discussion