IPS Sig ID 3030 - TCP SYN Host Sweep

Unanswered Question
Jul 16th, 2010

My Events on my IPS sensor within my ASA5520 are primarily Sig ID 3030's.  I am relatively new to the IPS/IDS Sensor end have always looked at Host Sweeps as sort of an attempt of attack.  These entries almost look like normal internet traffic from users going to google, etc....

Can someone please shed some light on how to understand the logs and good vs. bad, etc.?

Attached is a PDF of the last hour of traffic.

Thanks,
Greg

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fringer Fri, 07/16/2010 - 11:02

Greg;

  The best place to start researching signatures for Cisco IPS sensors is our IntelliShield site:

http://www.cisco.com/security

  You can find out specifics on all of our signatures, to include potentially beingn triggers, when availble.  For the 3030 signature you referenced, you can find specifics here:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3030&signatureSubId=0&softwareVersion=6.0&releaseVersion=S2

  There is not a sweeping answer on how to determine what is good or bad in your network; each network has different characteristics on which to make this determination.  Hence, investigating the sources and destinations of the signature event is the best start.  From there, you could capture traffic between the hosts to see what is actually occurring (making use of IP logging on the sensor for a specific signature is a great troubleshooting tool - just be careful not to leave it enabled full-time like a packet sniffer).  Reviewing these captures can let you know whether to consider the traffic good or bad.

Scott

Scott Fringer Mon, 11/22/2010 - 04:43

Kiran;

  Internal hosts can cause this signature to fire for normal web browsing activity; that is why internal hosts are listed as a potential benign trigger.  he event action filter is a recommendationto assist in lowering false positives from needing to be reviewed.

Scott

Farrukh Haroon Mon, 11/22/2010 - 04:59

Internal (LAN) networks should be excluded for this signature as recommended by Cisco.

The reason is that many traffic flows originated from the LAN cause this signature to be fired e.g.

> NMS system polling, pinging devices

> DNS Server sending/replying to DNS requests/queries

> Proxy server web traffic

> Email Server SMTP traffic etc.

If you don't setup an event-action filter for teh TCP SYN Sweep and ICMP Sweep signatures, they are going to create too much noise and distract you from monitoring the actual/relevant alerts.


Please rate if helpful.

Regards

Farrukh

Actions

This Discussion