Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Gold

sig 3030 (TCP SYN Host Sweep) - no dest port?

5.x sensor, as viewed from the event monitoring directly on the sensor.

sig 3030 events do not seem to include the actual destination port. This seems rather strange given the description of the signature. Is this normal? Am I misunderstanding the NSDB description below?

"Description: Triggers when a series of TCP SYN packets have been sent to the same destination port on a number of different hosts. This could, for example, be a sweep of many hosts to find out which ones can receive mail or telnet sessions."

3 REPLIES
Cisco Employee

Re: sig 3030 (TCP SYN Host Sweep) - no dest port?

You are right, this is a bug. The current 5.x version of sig 3030 does not include the destination port. The Summary Key should be set to Axxb (instead of Axxx) to include the actual destination port. A modified signature will be released with the next signature update. Thank you for bringing this to our attention.

Cisco Employee

Re: sig 3030 (TCP SYN Host Sweep) - no dest port?

Upon further investigation, I have found that the existing parameters for sig 3030 are correct. It is the NSDB that is misleading. A sweep sig will behave as "Host Sweep" if you use the storage-key (not summary-key) as Axxx. If it is Axxb it becomes "Service Sweep". My earlier reply was wrong. The NSDB has been corrected. I am sorry for the confusion.

Please let us know if you have any more questions.

Gold

Re: sig 3030 (TCP SYN Host Sweep) - no dest port?

I think what your saying is that sig 3030 detects a SYN scan against multiple hosts, regardless of ports. That may be too vague. There are two different types of SYN scans I might want to alert on:

scenario 1:

SYN scan against multiple hosts on a single port (looking for SMTP servers for example).

scenario 2:

SYN scan against multiple hosts on multiple ports.

The above signature will fire on both right, but it won't show ports in either case? Is there a more specific signature that will fire on scenario 1 (much like the previous description for 3030), and show the port? Somebody must have been a least thinking about this when they wrote the description:

"Description: Triggers when a series of TCP SYN packets have been sent to the same destination port on a number of different hosts. This could, for example, be a sweep of many hosts to find out which ones can receive mail or telnet sessions."

627
Views
0
Helpful
3
Replies