Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Tuning sweep signature 3030 - TCP SYN Host Sweep

I want this signature to have the old behaviour as it had in 4.x. So I changed the Keys from Axxx to Axxp. Also I wanted to exclude port 80 and 443 entirely, so I added 0-79,81-442,444-65535 to Port Range.

This does not seem to work. The following scenario triggers alarms:

- Packets from one host towards 50 different target hosts.

- The destination ports are always 80, 443 and one randomly selected port above 1023 (different on each host).

How come I get alarms? I'm I doing something wrong here or is there a workaround?

Regards,

M

5 REPLIES
Cisco Employee

Re: Tuning sweep signature 3030 - TCP SYN Host Sweep

This sounds like a known bug in the Sweep config tuning. One workaround is to create a custom Sweep signature and set it up to mimic 3030 with your tweaks. Try that and see if you can get it to work like you want.

We have someone trying to find the bug ID to see what the official workaround is.

Cisco Employee

Re: Tuning sweep signature 3030 - TCP SYN Host Sweep

This is a known false positive being tracked in our database. The bug id is CSCse01405.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCse01405

From that bugid report the workaround is:

Change any parameter in another sig on the Axxx storage-key. Example: set sig 3052 enabled.

Basically the change to the Axxb is getting recorded but is not triggering the appropriate update to the Axxx storage key.

New Member

Re: Tuning sweep signature 3030 - TCP SYN Host Sweep

Ok, thanks.

This brings up another issue, with CiscoWorks. Perhaps you are not that involved in CW development.

The issue is that when we perform a signature update our specific signature settings gets wiped (for the sweep engine signatures). Settings like IP protocol and which ports to monitor. Also the "Unique" setting is wiped.

This applies to both the 3030 signature and any custom sweep signature we make.

We are running version 2.2 with Service Pack 1.

Is this also a known bug? Workaround?

Regards,

M

New Member

Re: Tuning sweep signature 3030 - TCP SYN Host Sweep

We have that same exact problem, in fact I was going to put in a TAC case for this.

We are running VMS 2.3 with Security Monitor 2.2

I have been tuning signatures globally, by group, and by sensor. I just found out that after an automatic signature update, all of my tuning is overwritten. The only workaround I have is to put in Sig Event Action Filters instead. But I don't think that helps with the overhead of leaving overzealous signatures untuned.

Cisco Employee

Re: Tuning sweep signature 3030 - TCP SYN Host Sweep

I've not heard of your issue, but then as it was supposed, its outside of my area of expertise. I have brought this thread to the attention of one of the MC support guys. Hopefully he'll review this thread shortly.

Scott

550
Views
4
Helpful
5
Replies
CreatePlease to create content