Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AD - External TCP Scanner Signature

I am getting several of these from different workstations on my network. I need to find out if this is really a worm outbreak behavior or indeed a false positive.  I changed the attacker IP for this post but they are coming from internal IP's on my network.

Attacker Address

Attacker Port

Target Address

Target Port

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.2

0.0.0.0

443

10.0.0.2

0.0.0.0

443

10.0.0.2

0.0.0.0

443

10.0.0.2

0.0.0.0

443

10.0.0.3

0.0.0.0

80

10.0.0.3

0.0.0.0

80

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.5

0.0.0.0

80

10.0.0.5

0.0.0.0

80

10.0.0.5

0.0.0.0

80

10.0.0.5

0.0.0.0

80

10.0.0.6

0.0.0.0

80

10.0.0.6

0.0.0.0

80

10.0.0.7

0.0.0.0

443

10.0.0.7

0.0.0.0

443

10.0.0.7

0.0.0.0

443

10.0.0.7

0.0.0.0

443

10.0.0.8

0.0.0.0

443

10.0.0.8

0.0.0.0

443

10.0.0.8

0.0.0.0

443

10.0.0.8

0.0.0.0

443

Is this really a behavior of a worm outbreak? Or could it be that the "attackers" are establishing web/ssl connection to targets which is unknown or not tagged as internal zone hence by default, the zone of the target is external. As a result, this signature was fired.

Seek advise/views from the domain experts here. TIA.

Everyone's tags (6)
6 REPLIES
Cisco Employee

Re: AD - External TCP Scanner Signature

Joseison;

   These signatures key on hosts that are sending TCP SYN requests to multiple destinations in a single zone and not receiving the expected SYN-ACK in return within a specified time.  The number of scanned destinations in turn crosses the configured/learned scanner threshold.  Therefore it is key that the sensor see both directions of traffic, or there is a risk of false positive detection.

  It is not likely these sources are creating legitimate connections, as the AD engine looks for the lack of the SYN-ACK as an indicator of scanning.  This could be caused by hosts that are performing network management/vulnerability assessment duties.  Again, the one concern is if the sensor is not seeing the return traffic for legitimate connections, and in turn the missing connection response is collected and the sensor considers this a potential worm activity.  Ultimately, you will need to investigate the sources of the alerts (if within your control) to see if they are performing full connections to the destinations (perhaps through the use of Wireshark on the reported hosts).

  You can find out more about the functionality of the anomaly detection engine here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_anomaly_detection.html

Scott

New Member

Re: AD - External TCP Scanner Signature

Scott,

  I am also observing the same Signatures getting fired through my IPS to Dest ports 443 & 5222. I cross checked the source machines and they dont use any scanner applications. Need to know why the destination address are showing as 0.0.0.0 & and the interface name as sy0_0 which is not assigned to any of the interface.

Also can this be an worm activity from my internal zone?

Kiran

Cisco Employee

Re: AD - External TCP Scanner Signature

Kiran;

  Yes, there is potential that these signature events indicate worm activity.  The destination addresses are 0.0.0.0 as the sensor is only tracking the SYN activity from the hosts; it is not necessary to track the destination addresses.  The hosts in question do not need to be restricted to using a scanning application to trigger this signature; it is simply a potential source for false positives.  It is also the "scanning" software is a worm looking for potential hosts to infect.

It is also possible if the IPS is only seeing one direction of traffic (asymmetric traffic flows) and does not see the return SYN-ACK that these signatures will fire.  In such an environment it is usually necessary to disable the anomaly detection engine or work to correct the asymmetric traffic flow.

Scott

New Member

Re: AD - External TCP Scanner Signature

Scott,

  Thanks a ton for updating me. Can you also let me know why this signature information shows an interface name as something which is not configured in my network.  This is confusing me a lot as other signatures carry the exact interface name that is assigned in the network

Kiran

Cisco Employee

Re: AD - External TCP Scanner Signature

Kiran;

  The information is tracked across all interfaces, and therefore is not limited to a single interface.  The system simply summarizes to a system interface based on the signature firing logic- the detection is specific to the source IP address only.

Scott

New Member

Re: AD - External TCP Scanner Signature

Scott,

  Thanks a lot. Thanks for putting me right.

Kiran

2876
Views
0
Helpful
6
Replies
CreatePlease login to create content