False Negative detect for port scan against TCP 1433
I am very disappointed today in my NetRangers, and I'm writing y'all to help me regain some sense of trust in them. As y'all know, we call a false positive any situation when the NetRangers trigger a detect that is incorrect or false. And like I tell my students, these can be annoying, but it's the false negative responses that will kill you. These are the times that the NetRanger sits there idly while an attack flows right past it.
Yesterday, during the SQLsnake worm's run, I had a false negative detect on TCP port 1433 scans. I would have thought - and in fact explained to my management and customers - that the NetRangers could detect a port scan for port 1433. Specifically, I was thinking of signature 3030, which yesterday continued to detect the usual ports 111, 80, 25, 22, etc scans - but were completely silent as port scan after port scan was run against my network, looking for port 1433. To make matters worse, a customer's system was infected by the worm, and it had port-scanned tens of thousands of hosts as fast as it could push the bits out (the worm triggers 100 threads of port scanning activity) - and today my IDS still shows no detected activity against port 1433.
I am using a Sniffer and manually checking it for details on this new worm. I don't expect y'all to detect events that you don't have signatures developed for, but when a worm uses port scanning to find a target and y'all can't see that port scan - then that is a failure at the most basic level of an IDS.
I have a TAC case open - just in case I'm missing something. I have a Sniffer looking at the same data as the sensors so I know the sensor sees the traffic. I received other 3030 detects, so I know the sensors and director are working properly. I attempted to stimulate the same sensors and others with nmap scans against port 1433, and still received no data.
I really can't describe how let down I feel. What other port scans are happening that I don't know about? My trust in the NetRanger data it provides has been shaken. How can I trust an IDS that can't detect a port scan? Please help.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :