Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is the signature 9023 useless ???

The subject of the conversation is a bit provoking, but I really think that the implementation of the signature make it useless.

Why do I think so ? Well, every scan for the port 36794 will fire the signature (S33 description: "The signature will fire if a SYN packet is detected destined for TCP port 36794"). What is the information I get out of the event ? There was a port scan. How interesting.

I really wonder why the signature does not fire if a SYN/ACK from port 36794 is found? Or two subsignatures, one for the SYN packet, for the statistics, one for the SYN/ACK to show the problems.

Except for active FTP server, such a signature would give me a real information: There is an application active on the port.

With the current signature I always have to check the destination if it is active or if only a simple SYN packet was detected.

I'm writing this message, because I would like to start a discussion about the way of detecting problems and not only creating statistics from attacks.

What is your opinion ?


Re: Is the signature 9023 useless ???

This is a valid suggestion for the TCP-based backdoor signatures. We will take it under advisement. One obvious way to make the 9xxx series signatures more effective is to use RecordOfExcludedPatterns to filter events originating from external networks. Two signatures is probably overload.

New Member

Re: Is the signature 9023 useless ???

Mmmh, I think this will not work. Remember, the signatures are fired if a SYN request is found. If you block OUT -> IN you will only see SYN requests from inside to outside. The SYN/ACKS can not be seen because the signature does not work on SYN/ACKs. That is the reason that I believe that signatures of this type are more or less useless.


Re: Is the signature 9023 useless ???

I really meant to say filtering out IN -> OUT. Thanks for the correction. I see your point, but SYN packets to port 36794 or 31337 for example should trigger interest. Yes, they just might indicate a port scan. But, the whole point of these signatures is just to provide awareness, not proof positive someone is exploiting a backdoor.

New Member

Re: Is the signature 9023 useless ???

>But, the whole point of these signatures is

>just to provide awareness, not proof positive

>someone is exploiting a backdoor.

Yes, that is the point. As long as an IDS system is before a firewall, you get a lot of data from port scans. The problem is, that this information is useless except you want a statistic. (Please do not start the discussion where the IDS has to be placed)

So, what do you get from this signature: A hint to check a system if there is a backdoor in one of your systems. If you have a large network and the scan hit your complete network....

Out of the reason that you never know when a backdoor is installed, you have to check every system every day if there is a listening application. That is a lot of work.

If the signature would trigger on a SYN/ACK, the number of systems you have to check would be less than 1% against the dumb SYN signature.

I think that people running an IDS have a lot of awareness for security problems. They need tools that make the life more easier. I really would like to see a change from signatures reporting attack to signatures reporting successful attacks. I know that this is a dream, but you can work on it. And sometimes the steps are really easy.