Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Half-open SYN Attack 3050.0

Is there a trick to getting the signature 3050 ?half open syn flood? to produce an alert?

The Cisco Intrusion Prevention System is on version 5.1(1p1) S229.0.

We have tuned the signature to alert at 2048 half open connections.

syn-flood-max-embrionic: 2048 default: 5000

A ?show statistics virtual-sensor? shows that

TCP streams currently in the embryonic state = 2871?

but still no alert appears on the console.

The signature use the normalizer engine and the event-action is set to ?produce-alert?

Any help regarding this would be appreciated.

2 REPLIES
Cisco Employee

Re: Half-open SYN Attack 3050.0

What type of sensor are using?

On the ASA-SSM-10 and ASA-SSM-20, the normalizer signatures will not be triggered (including the Syn Flood signature).

The ASA-SSMs relie on the TCP Normalization features of the ASA itself to monitor for TCP anomalies including SYN Floods.

For other sensors realize that the SYN Flood signature is tracked on a per server and per port basis. So with a 2048 setting there must be 2048 embryonic connections to a specific port on a specific server IP.

The 2871 number you are seeing in the statistic is for ALL embryonic connections to ALL ports on ALL server IPs. If this is a deployed sensor it is unlikely that all 2871 embryonic connections from the statistics are to the same server IP/port.

New Member

Re: Half-open SYN Attack 3050.0

Hi Marco

thanks for your reply. The problem occurs on a 4250-SX model sensor. I have also noticed that when I set the flood signatures to a rate of 0 in order to get the threshold correct, no alerts are produced and consequently no events are received at the CiscoWorks console

362
Views
0
Helpful
2
Replies
CreatePlease to create content