Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS Sig ID 3030 - TCP SYN Host Sweep

My Events on my IPS sensor within my ASA5520 are primarily Sig ID 3030's.  I am relatively new to the IPS/IDS Sensor end have always looked at Host Sweeps as sort of an attempt of attack.  These entries almost look like normal internet traffic from users going to google, etc....

Can someone please shed some light on how to understand the logs and good vs. bad, etc.?

Attached is a PDF of the last hour of traffic.

Thanks,
Greg

4 REPLIES
Cisco Employee

Re: IPS Sig ID 3030 - TCP SYN Host Sweep

Greg;

  The best place to start researching signatures for Cisco IPS sensors is our IntelliShield site:

http://www.cisco.com/security

  You can find out specifics on all of our signatures, to include potentially beingn triggers, when availble.  For the 3030 signature you referenced, you can find specifics here:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3030&signatureSubId=0&softwareVersion=6.0&releaseVersion=S2

  There is not a sweeping answer on how to determine what is good or bad in your network; each network has different characteristics on which to make this determination.  Hence, investigating the sources and destinations of the signature event is the best start.  From there, you could capture traffic between the hosts to see what is actually occurring (making use of IP logging on the sensor for a specific signature is a great troubleshooting tool - just be careful not to leave it enabled full-time like a packet sniffer).  Reviewing these captures can let you know whether to consider the traffic good or bad.

Scott

New Member

Re: IPS Sig ID 3030 - TCP SYN Host Sweep

Hi Scott,

  The link below says  "Exclude internal networks as sources".Please let me know why the internal sources have to be specifically excluded as i can see "n" number of logs with this signature.

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3030&signatureSubId=0&softwareVersion=6.0&releaseVersion=S2

Thanks

Kiran

Cisco Employee

Re: IPS Sig ID 3030 - TCP SYN Host Sweep

Kiran;

  Internal hosts can cause this signature to fire for normal web browsing activity; that is why internal hosts are listed as a potential benign trigger.  he event action filter is a recommendationto assist in lowering false positives from needing to be reviewed.

Scott

Re: IPS Sig ID 3030 - TCP SYN Host Sweep

Internal (LAN) networks should be excluded for this signature as recommended by Cisco.

The reason is that many traffic flows originated from the LAN cause this signature to be fired e.g.

> NMS system polling, pinging devices

> DNS Server sending/replying to DNS requests/queries

> Proxy server web traffic

> Email Server SMTP traffic etc.

If you don't setup an event-action filter for teh TCP SYN Sweep and ICMP Sweep signatures, they are going to create too much noise and distract you from monitoring the actual/relevant alerts.


Please rate if helpful.

Regards

Farrukh

3055
Views
0
Helpful
4
Replies