Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring TCP SYN HOST SWEEPS(SIGID 3030)

I'm trying to make signature 3030(TCP SYN HOST Sweeps) only fire when 40 scans to different host are seen under 15 seconds and only fire one alarm during this period for the paticular source address.

How can I accomplish this.

Thanks in advance

2 REPLIES
New Member

Re: Configuring TCP SYN HOST SWEEPS(SIGID 3030)

Any update on this ?

New Member

Re: Configuring TCP SYN HOST SWEEPS(SIGID 3030)

I have tried to make similar alarms such as 2100 perform like this. I have run into the same problems. Some notes that I can pass on are:

For configuration the two main areas to tweak are:

Unique and ResetAfterIdle.

Each of the sweep signature engines' alarm conditions ultimately depend on the count of the unique parameter. This parameter is the threashold parameter that triggers firing of the alarm when more than the unique number of ports or hosts is detected.

The sweep engines also use the ResetAfterIdle master parameter to clear the current value of the Unique Counter. The value is cleared or reset when no traffic has passed between the hosts for a period of time,

* A specific engine that does not do Unique counting like other sweep engines is Sweep.Other.TCP

This signature supports signatures that trigger when a mixture of TCP packets with different flags are detected. Examples would be Nmap or Queso scans that send odd tcp flags.

Hope this helps.

Some reference is from Global Knowlege.

113
Views
0
Helpful
2
Replies
CreatePlease login to create content