Re: Detecting FTP, Telnet, etc. probes

chrisv · ‎02-21-2002

Will the IDS' detect probes that scan (single port 21, 23, etc.) our entire class B address space? We get scanned all the time and we log them thanks to our PIX. However, I don't get any sig. firing in the IDS.

Thank you,

Chris

ddinh · ‎02-21-2002

Have you check your (on Sensor) /usr/nr/etc/packetd.conf file to see if these signatures (in the 3000 range)are set to alarm. Check out: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids5/csidscog/intarch.htm#41107

marcabal · ‎02-21-2002

3030 "TCP SYN Host Sweep"

3031 "TCP FRAG SYN Host Sweep"

3032 "TCP FIN Host Sweep"

3033 "TCP FRAG FIN Host Sweep"

3034 "TCP NULL Host Sweep"

3035 "TCP FRAG NULL Host Sweep"

3036 "TCP SYN/FIN Host Sweep"

3037 "TCP FRAG SYN/FIN Host Sweep"

The Sweep signatures are tuneable through SigWizMenu and nrConfigure.

You can designate how many hosts need to be scanned an din what amount of time for the signature to fire.

If the scans are slow or only scan a few live hosts then the default settings may not be enough to fire the signature.

NOTE: If the ip addresses being scanned are not live, then the Pix may not actually send the packet through because there is no response to an arp for that address. In which case the IDS won't see the packet if the IDS is watching behind the Pix. The Pix may, however, still log the connection attempt and this may be what you are seeing???

astuckey · ‎03-12-2002

It would still help to have more information included in 3030 and friends (but most specifically 3030).

A note in the extra data field of "NNN hosts scanned in YY seconds" would be great.

marcabal · ‎03-12-2002

I'll pass the comment along to our signature development guys for possible consideration in a future version.