Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Detecting FTP, Telnet, etc. probes

Will the IDS' detect probes that scan (single port 21, 23, etc.) our entire class B address space? We get scanned all the time and we log them thanks to our PIX. However, I don't get any sig. firing in the IDS.

Thank you,


New Member

Re: Detecting FTP, Telnet, etc. probes

Have you check your (on Sensor) /usr/nr/etc/packetd.conf file to see if these signatures (in the 3000 range)are set to alarm. Check out:

Cisco Employee

Re: Detecting FTP, Telnet, etc. probes

3030 "TCP SYN Host Sweep"

3031 "TCP FRAG SYN Host Sweep"

3032 "TCP FIN Host Sweep"

3033 "TCP FRAG FIN Host Sweep"

3034 "TCP NULL Host Sweep"

3035 "TCP FRAG NULL Host Sweep"

3036 "TCP SYN/FIN Host Sweep"

3037 "TCP FRAG SYN/FIN Host Sweep"

The Sweep signatures are tuneable through SigWizMenu and nrConfigure.

You can designate how many hosts need to be scanned an din what amount of time for the signature to fire.

If the scans are slow or only scan a few live hosts then the default settings may not be enough to fire the signature.

NOTE: If the ip addresses being scanned are not live, then the Pix may not actually send the packet through because there is no response to an arp for that address. In which case the IDS won't see the packet if the IDS is watching behind the Pix. The Pix may, however, still log the connection attempt and this may be what you are seeing???

New Member

Re: Detecting FTP, Telnet, etc. probes

It would still help to have more information included in 3030 and friends (but most specifically 3030).

A note in the extra data field of "NNN hosts scanned in YY seconds" would be great.

Cisco Employee

Re: Detecting FTP, Telnet, etc. probes

I'll pass the comment along to our signature development guys for possible consideration in a future version.

CreatePlease to create content