With SecMon 2.2, the TCP SYN Host Sweep (3030.0) fails to display the victims port in the console. The console shows <n/a> in the port field. The sensors are at version 5.1.1p1. The command Show Events Alert Info on the sensor reveals that the destination port is not capture by the sensor event.
upgrade history of the sensor:
Is there a reason for no longer capturing the destination porton this signature?
Was it capturing the port information *prior* to p1 or the last update applied? I'm just trying to get a grasp on if this is an issue with an update or maybe you just noticed it now and are wondering about how/why it disaplys what it does.
The reason it does not show an IP address is that a host sweep, by definition, hits a bunch of hosts. I believe the raw alarm has 0.0.0.0 as the ip address; sounds like SecMon is changing this to n/a (correctly I would say).
I don't remember this alarm ever displaying all of the destination IPs.
i dont have a problem with the destination ip address, its the destination port that is not displayed. i can understand not having all of the destination hosts as this may be summerised but the destination port should remain constant across all of the hosts>>>
It actually goes a little bit further than that, changing the storage key changes the behavior somewhat.
The 5.x sweep engine provides coverage for the following types of sweeps:
If you change the 'storage-key' (NOT summary-key) from Axxx to Axxb the sigs will change behavior from a "host sweep" to a "service sweep". So more than just changing what the alert reports, you are also changing the sweep trigger.
Your change may be okay if that is the desired behavior.
Note that a service sweep will typically fire less than a host sweep because it is more restrictive (i.e. only counts unique on a specific port instead of any port).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :