How are you all tuning Sig ID:3030 "TCP Syn Host Sweep"? I find this alert is the best indicator of a worm or virus that has made its way inside attempting to spread itself around our network when I see thousands of Syn's coming from one IP all hitting another specific IP range.
Unfortunately we get a ton of "false-positives" on this alert that seem to come from users being referred from one website to an ad on another. All hosts seem to trip the rule a similar number of times during the day which makes it a little tougher to pick out an infected host (5k alerts from one host vs. 300 from each of the others). Making it even more difficult to catch a scanning host before it gets into the range of thousands of hits is the fact that one host can often get a lot of ads or pop-ups from one company's IP block so it will look similar to a scan even though it likely is not.
Have any of you found an effective way to tune this alert so that it still fires if you have a worm but not for every banner ad/popup window a user gets? Have any of you made an attempt to wade through all the alarms triggered by this sig to determine the actual root of the false-positives or are you just turning the alarm off altogether?
In IPS5 I have created a custom signature which contains an Event Counter of 10 with a default Alert Interval of 60 seconds. So after disabling Signature 3030, your custom signature should only fire when it detects 10 instances within a 60 second period.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :