07-16-2010 07:44 AM - edited 03-10-2019 05:03 AM
My Events on my IPS sensor within my ASA5520 are primarily Sig ID 3030's. I am relatively new to the IPS/IDS Sensor end have always looked at Host Sweeps as sort of an attempt of attack. These entries almost look like normal internet traffic from users going to google, etc....
Can someone please shed some light on how to understand the logs and good vs. bad, etc.?
Attached is a PDF of the last hour of traffic.
Thanks,
Greg
07-16-2010 11:02 AM
Greg;
The best place to start researching signatures for Cisco IPS sensors is our IntelliShield site:
You can find out specifics on all of our signatures, to include potentially beingn triggers, when availble. For the 3030 signature you referenced, you can find specifics here:
There is not a sweeping answer on how to determine what is good or bad in your network; each network has different characteristics on which to make this determination. Hence, investigating the sources and destinations of the signature event is the best start. From there, you could capture traffic between the hosts to see what is actually occurring (making use of IP logging on the sensor for a specific signature is a great troubleshooting tool - just be careful not to leave it enabled full-time like a packet sniffer). Reviewing these captures can let you know whether to consider the traffic good or bad.
Scott
11-22-2010 12:17 AM
Hi Scott,
The link below says "Exclude internal networks as sources".Please let me know why the internal sources have to be specifically excluded as i can see "n" number of logs with this signature.
Thanks
Kiran
11-22-2010 04:43 AM
Kiran;
Internal hosts can cause this signature to fire for normal web browsing activity; that is why internal hosts are listed as a potential benign trigger. he event action filter is a recommendationto assist in lowering false positives from needing to be reviewed.
Scott
11-22-2010 04:59 AM
Internal (LAN) networks should be excluded for this signature as recommended by Cisco.
The reason is that many traffic flows originated from the LAN cause this signature to be fired e.g.
> NMS system polling, pinging devices
> DNS Server sending/replying to DNS requests/queries
> Proxy server web traffic
> Email Server SMTP traffic etc.
If you don't setup an event-action filter for teh TCP SYN Sweep and ICMP Sweep signatures, they are going to create too much noise and distract you from monitoring the actual/relevant alerts.
Please rate if helpful.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide