Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDS missing TONS of port scans

I have recently been examining my firewall log files and have noticed tons of port scans that the IDS has failed to pick up. Occassionally, the scans have been going on for hours across my entire IP block.

What is going on with the scanner? Do I need to further fine tune the signatures? It does pickup port scans currently...sometimes even if it is just one SYN scan to one IP address - so it appears sensitive enough.

IDEAS?

Thank you.

  • Other Security Subjects
4 REPLIES
New Member

Re: IDS missing TONS of port scans

Please see July 7 posting...new engineering release 3.1.3 for service-over-host sweeps.

New Member

Re: IDS missing TONS of port scans

Could you provide the URL please. I don't see any reference for this release.

Thanks

New Member

Re: IDS missing TONS of port scans

May 30, 2002, 1:18pm PST

We have created the engrel2 bundle to address the problems noted with the host sweeps,

particulary the Sig 3030 false negative on SQL Spyda sweeps on port 1433. (We were only looking at low ports, so port 1433 was never counted).

Now, we have changed the behavior of the signatures 3030-3037 to be service sweeps instead of a regular host sweeps. (See the README with the bundle on ftp-eng).

You can find the files on 'ftp-eng.cisco.com'.

The path is: /ftp/pub/titanium

Download the files:

CSIDS-313-engrel2.tar.Z and README

in ftp BINARY mode.

The README has installation instructions and a full description of the changes in this version.

-JK

New Member

Re: IDS missing TONS of port scans

Will the engrel2 become part of the updates (and with which one) ?

157
Views
0
Helpful
4
Replies