Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tuning "TCP Syn Host Sweep"

How are you all tuning Sig ID:3030 "TCP Syn Host Sweep"? I find this alert is the best indicator of a worm or virus that has made its way inside attempting to spread itself around our network when I see thousands of Syn's coming from one IP all hitting another specific IP range.

Unfortunately we get a ton of "false-positives" on this alert that seem to come from users being referred from one website to an ad on another. All hosts seem to trip the rule a similar number of times during the day which makes it a little tougher to pick out an infected host (5k alerts from one host vs. 300 from each of the others). Making it even more difficult to catch a scanning host before it gets into the range of thousands of hits is the fact that one host can often get a lot of ads or pop-ups from one company's IP block so it will look similar to a scan even though it likely is not.

Have any of you found an effective way to tune this alert so that it still fires if you have a worm but not for every banner ad/popup window a user gets? Have any of you made an attempt to wade through all the alarms triggered by this sig to determine the actual root of the false-positives or are you just turning the alarm off altogether?

New Member

Re: Tuning "TCP Syn Host Sweep"

In IPS5 I have created a custom signature which contains an Event Counter of 10 with a default Alert Interval of 60 seconds. So after disabling Signature 3030, your custom signature should only fire when it detects 10 instances within a 60 second period.

CreatePlease login to create content