Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

4210 IDS not detecting small tcp port scans & windows null sessions

Hello,

Perhaps someone can help me out and tell me if this is typical behavior for the 4210. I have been testing the device with the 3.1 software and have enabled all of the signatures in S40 and I can't seem to get it to detect small TCP connect scans (20-30 ports) to common services.

I tried some basic online scans from grc and symantec, etc. against our PIX interface with the IDS sniffer interface on a 10/100 hub in between. I cannot get it to fire an alarm for these scans. I also tried a tcp connect scan with fscan's default 300 or so ports and no alarm fired. I also cannot get it to detect a windows null session attempt, which the ids has a signature I enabled for that purpose. The only time I could get it to fire on a port scan was by doing a full 1-65535 nmap syn scan against the PIX interface.

Is there possibly something wrong with my setup, or do I need to tune something ???

thanks

2 REPLIES
New Member

Re: 4210 IDS not detecting small tcp port scans & windows null s

Update: I have determined there is definitely something wrong with my setup, as I was able to run these tests on another 4210 in production and they were detected, could be the 10/100 hub I'm using... we'll see

Re: 4210 IDS not detecting small tcp port scans & windows null s

Definitely your hub, 10/100 mbit hubs have 2 backplanes for the different speed and the two are usually bridged together, if you have the firewall and the sensor on different segments you won't see anything.

129
Views
0
Helpful
2
Replies
CreatePlease login to create content