cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1204
Views
0
Helpful
6
Replies

TCP FIN Host Sweep

cholars
Level 1
Level 1

Hello Guys,

I need help here. We are getting numerous number of incident in one of our CS-MARS regarding Scans-Stealth system rule. This rule triggered by event type TCP FIN Host Sweep. The source ip's were internal our network and destined to external ip's of telco and other sites. One of the notable site is yahoo.com. I'm just wondering what causing these alerts to trigger, P2P or streaming?

According to this signature

TCP FIN Host Sweep

Benign Trigger(s):

The host sweep signatures 3030 and 3032 detect behaviors that should not be observed from sources outside the local network but are normal behaviors for sources from within the local network.

Recommended filters:

Exclude internal networks as sources.

Based on the signature this alert is not malicious unless the source ip is external. So, is it ok to tune this out or leave it and then always monitor? Sometimes it's quite annoying though.

6 Replies 6

andrgrif
Level 1
Level 1

Hello,

Without more information it's hard to say why the alerts are being triggered, but in general, network scanning or p2p could easily trigger (internal -> external) trigger those signatures.

Tuning those signatures would be an appropriate course of action in my opinion.

sporcello
Level 1
Level 1

We are having the same issue, except with the TCP SYN Host Sweep (3030) alert. The signature explanation page suggests to filter out internal addresses as the source, but we have not for a reason: this is a good way to detect a worm within the network.

What we have done in the past is tune the threshold that triggers the signature. However with E2 engine update and signature updates, this signature has begun to fire excessively again. We will probably tune it again by increasing the threshold to a point where it will not give us an excessive amount of alerts.

Farrukh Haroon
VIP Alumni
VIP Alumni

Yes this is one of the 'chatty' signatures. You can either follow the Cisco recommendation:

Recommended filters:

Exclude internal networks as sources.

Or filter the signature on the IPS to increase the thresholds as others have suggested. But to be honest there are more accurate/better ways to detect worms on IPS 6.x like 'Anomaly Detection' than these signatures (if that is the motivation to not filter internal IPs).

Regards

Farrukh

Thank guys for your help. But if we increase the threshold of this signature and filter this out we will not able to detect some P2P activity. We are monitoring schools network and we all know that most of the student use P2P for sharing files. Some of the P2P activity will not resembles a P2P alerts in MARS but most of them trigger this Scans-Stealth rule with event type TCP Fin Host Sweep.

Mahalo,

Carlou

So how to you want to procced with this?

Regards

Farrukh

We haven't decided yet. Most probably we will continue to monitor this event and not tuning this out. Our client wants to see P2P activity and to know who's using P2P clients so they can uninstall it in their workstation.

Mahalo,

Carlou

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: