Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3541
Views
0
Helpful
4
Replies

IPS Sig ID 3030 - TCP SYN Host Sweep

Gregory Engle
Level 1
Level 1

‎07-16-2010 07:44 AM - edited ‎03-10-2019 05:03 AM

My Events on my IPS sensor within my ASA5520 are primarily Sig ID 3030's.  I am relatively new to the IPS/IDS Sensor end have always looked at Host Sweeps as sort of an attempt of attack.  These entries almost look like normal internet traffic from users going to google, etc....

Can someone please shed some light on how to understand the logs and good vs. bad, etc.?

Attached is a PDF of the last hour of traffic.

Thanks,
Greg

Labels:
Preview file
12 KB
0 Helpful
4 Replies 4

Scott Fringer
Cisco Employee
Cisco Employee

‎07-16-2010 11:02 AM

Greg;

  The best place to start researching signatures for Cisco IPS sensors is our IntelliShield site:

http://www.cisco.com/security

  You can find out specifics on all of our signatures, to include potentially beingn triggers, when availble.  For the 3030 signature you referenced, you can find specifics here:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3030&signatureSubId=0&softwareVersion=6.0&releaseVersion=S2

  There is not a sweeping answer on how to determine what is good or bad in your network; each network has different characteristics on which to make this determination.  Hence, investigating the sources and destinations of the signature event is the best start.  From there, you could capture traffic between the hosts to see what is actually occurring (making use of IP logging on the sensor for a specific signature is a great troubleshooting tool - just be careful not to leave it enabled full-time like a packet sniffer).  Reviewing these captures can let you know whether to consider the traffic good or bad.

Scott

0 Helpful

kiran.raj1
Level 1
Level 1
In response to Scott Fringer

‎11-22-2010 12:17 AM

Hi Scott,

  The link below says  "Exclude internal networks as sources".Please let me know why the internal sources have to be specifically excluded as i can see "n" number of logs with this signature.

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3030&signatureSubId=0&softwareVersion=6.0&releaseVersion=S2

Thanks

Kiran

0 Helpful

Scott Fringer
Cisco Employee
Cisco Employee
In response to kiran.raj1

‎11-22-2010 04:43 AM

Kiran;

  Internal hosts can cause this signature to fire for normal web browsing activity; that is why internal hosts are listed as a potential benign trigger.  he event action filter is a recommendationto assist in lowering false positives from needing to be reviewed.

Scott

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Scott Fringer

‎11-22-2010 04:59 AM

Internal (LAN) networks should be excluded for this signature as recommended by Cisco.

The reason is that many traffic flows originated from the LAN cause this signature to be fired e.g.

> NMS system polling, pinging devices

> DNS Server sending/replying to DNS requests/queries

> Proxy server web traffic

> Email Server SMTP traffic etc.

If you don't setup an event-action filter for teh TCP SYN Sweep and ICMP Sweep signatures, they are going to create too much noise and distract you from monitoring the actual/relevant alerts.


Please rate if helpful.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card