Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

TCP FIN Host Sweep

Hello Guys,

I need help here. We are getting numerous number of incident in one of our CS-MARS regarding Scans-Stealth system rule. This rule triggered by event type TCP FIN Host Sweep. The source ip's were internal our network and destined to external ip's of telco and other sites. One of the notable site is yahoo.com. I'm just wondering what causing these alerts to trigger, P2P or streaming?

According to this signature

TCP FIN Host Sweep

Benign Trigger(s):

The host sweep signatures 3030 and 3032 detect behaviors that should not be observed from sources outside the local network but are normal behaviors for sources from within the local network.

Recommended filters:

Exclude internal networks as sources.

Based on the signature this alert is not malicious unless the source ip is external. So, is it ok to tune this out or leave it and then always monitor? Sometimes it's quite annoying though.

6 REPLIES
New Member

Re: TCP FIN Host Sweep

Hello,

Without more information it's hard to say why the alerts are being triggered, but in general, network scanning or p2p could easily trigger (internal -> external) trigger those signatures.

Tuning those signatures would be an appropriate course of action in my opinion.

New Member

Re: TCP FIN Host Sweep

We are having the same issue, except with the TCP SYN Host Sweep (3030) alert. The signature explanation page suggests to filter out internal addresses as the source, but we have not for a reason: this is a good way to detect a worm within the network.

What we have done in the past is tune the threshold that triggers the signature. However with E2 engine update and signature updates, this signature has begun to fire excessively again. We will probably tune it again by increasing the threshold to a point where it will not give us an excessive amount of alerts.

Re: TCP FIN Host Sweep

Yes this is one of the 'chatty' signatures. You can either follow the Cisco recommendation:

Recommended filters:

Exclude internal networks as sources.

Or filter the signature on the IPS to increase the thresholds as others have suggested. But to be honest there are more accurate/better ways to detect worms on IPS 6.x like 'Anomaly Detection' than these signatures (if that is the motivation to not filter internal IPs).

Regards

Farrukh

New Member

Re: TCP FIN Host Sweep

Thank guys for your help. But if we increase the threshold of this signature and filter this out we will not able to detect some P2P activity. We are monitoring schools network and we all know that most of the student use P2P for sharing files. Some of the P2P activity will not resembles a P2P alerts in MARS but most of them trigger this Scans-Stealth rule with event type TCP Fin Host Sweep.

Mahalo,

Carlou

Re: TCP FIN Host Sweep

So how to you want to procced with this?

Regards

Farrukh

New Member

Re: TCP FIN Host Sweep

We haven't decided yet. Most probably we will continue to monitor this event and not tuning this out. Our client wants to see P2P activity and to know who's using P2P clients so they can uninstall it in their workstation.

Mahalo,

Carlou

795
Views
0
Helpful
6
Replies
CreatePlease to create content