Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CIsco IPS- Condition for TCP null packet

What are the conditions for this event to trigger ? does it trigger even if there is one packet without any of the flags syn, ack,fin,rst or if there are 10 in 50 packets without the flags set ? 

New Member

Benign trigger states This

Benign trigger states 

This alarm may fire if large amounts of random network traffic are transmitted across the network, such as during a denial of service attack. To reduce number of unverifiable alarms being generated, this signature will begin throttling the creation of new alarms if more than one event of this type is detected per second. The first alarm will be sent, but all subsequent alarms will be summarized and periodically reported. The summarization alarm will report NULL IP addresses / port numbers and will contain this message in the data field, Global Summary: XX alarms this interval, where XX is the number of alarms received and summarized.

New Member

Hello Shadowknight14,I

Hello Shadowknight14,

I presume you are talking about Cisco IPS signature 3040-0?
Essentially, that signature is defined as

atomic-ip/fragment-status : no-fragments
atomic-ip/l4-protocol/tcp/dst-port : 1-1024
atomic-ip/l4-protocol/tcp/tcp-mask : urg|ack|psh|rst|syn|fin
alert-frequency/summary-mode/fire-once/global-summary-threshold : 200
alert-frequency/summary-mode/fire-once/summary-interval : 30

If you look at the Atomic-IP section of
you'll see the description of tcp-flags and tcp-mask parameters.

The flags in the packet are compared for equality to the tcp-flags & tcp-mask
so the above is
    tcp-flags 000000
and tcp-mask  111111

so if your packet does not have 000000 for its flags, it won't trigger the packet.

In English, sig 3040-0 is going to fire on any TCP packets destined to the privileged ports 1-1024 but lacking all 6 TCP flags.

The summary settings mean that it will fire up to 1 time per 30 seconds per attacker (until it hits the global summary threshold of 200 events, at which time you switch to global-summary mode which summarizes all attackers once per interval).

CreatePlease login to create content