02-21-2002 07:14 AM - edited 03-08-2019 09:52 PM
Will the IDS' detect probes that scan (single port 21, 23, etc.) our entire class B address space? We get scanned all the time and we log them thanks to our PIX. However, I don't get any sig. firing in the IDS.
Thank you,
Chris
02-21-2002 11:27 AM
Have you check your (on Sensor) /usr/nr/etc/packetd.conf file to see if these signatures (in the 3000 range)are set to alarm. Check out: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids5/csidscog/intarch.htm#41107
02-21-2002 11:31 AM
3030 "TCP SYN Host Sweep"
3031 "TCP FRAG SYN Host Sweep"
3032 "TCP FIN Host Sweep"
3033 "TCP FRAG FIN Host Sweep"
3034 "TCP NULL Host Sweep"
3035 "TCP FRAG NULL Host Sweep"
3036 "TCP SYN/FIN Host Sweep"
3037 "TCP FRAG SYN/FIN Host Sweep"
The Sweep signatures are tuneable through SigWizMenu and nrConfigure.
You can designate how many hosts need to be scanned an din what amount of time for the signature to fire.
If the scans are slow or only scan a few live hosts then the default settings may not be enough to fire the signature.
NOTE: If the ip addresses being scanned are not live, then the Pix may not actually send the packet through because there is no response to an arp for that address. In which case the IDS won't see the packet if the IDS is watching behind the Pix. The Pix may, however, still log the connection attempt and this may be what you are seeing???
03-12-2002 03:30 PM
It would still help to have more information included in 3030 and friends (but most specifically 3030).
A note in the extra data field of "NNN hosts scanned in YY seconds" would be great.
03-12-2002 06:54 PM
I'll pass the comment along to our signature development guys for possible consideration in a future version.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide