Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

I'm not sure about "Unique" field in SWEEP.PORT.TCP

- I'm not sure about "Unique" field in SWEEP.PORT.TCP engine. Is it right when I say that Unique is used to specified the maximum connections to ONE port of a host.

- Does the signature fires when the result of masking the packet tcpflag (that sensor captures) with the MASK field is a subset of TCPFlags field?

Is there any tool to test signatures belonging to this engine?

1 REPLY
Cisco Employee

Re: I'm not sure about "Unique" field in SWEEP.PORT.TCP

The Unique is the number of different ports on the destination machine that packets must be sent to from the source machine for the alarm to fire.

Multiple packets to the same destination port from the same source machine will all be counted as simply one unique even if the packets had different source ports.

(too monitor for multiple packets/connections to a single port then you need the flood signature).

For example:

Unique is set as 5 and the signature is monitoring for SYN packets.

5 telnet connections to a server from the same client will not fire the alarm.

Nor will 3 telnet connections and 2 ftp connections.

However, a telnet connection, an ftp connection, an rsh connection, a web connection, and a smtp connection will fire the alarm.

NOTE: Also 3 telnet connections, 4 ftp connections, 12 rsh connections, 3 web connection and a smpt connection will also fire the alarm, becuase the number of unique ports is still 5.

the MASK field designates which Tcp flags should eb evaluated.

The TCPFlags fiels designates which of the Tcp flags from the MASK field has to be there for the packet to be counted towards the alarm.

If the Tcp flag is in MASK and in TCPFlags, then the Tcp flag must be in the packet.

If the Tcp flag is in MASK but is not in TCPFlags, then the Tcp flag must NOT be in the packet.

If the Tcp flag is not in MASK, then it doesn't matter is it is in the packet.

NOTE: Never put a Tcp flag in TCPFlags and not in MASK.

Example:

MASK is set for SYN and FIN

TCPFlags is set for SYN

SYN packet will match

SYN FIN packet will NOT match

FIN packet will NOT match

ACK packet will NOT match

SYN ACK packet will match

87
Views
0
Helpful
1
Replies