My question is on filtering signature #3030 (TCP SYN HOST Sweep). I am seeing alot of events from this signature. When I looked at the NSDB it recommended filtering it out for internal hosts. I feel a little reserved in doing this. I am just curious if this is something people choose to filter to reduce the number of false positives.
Well in my case yes. I can't believe nobody has answered your question. I filter a lot of alarms that originate from my inside network. This is mainly because I have control of the inside and there is a small number of us so I know we don't have anybody on the inside that would knowingly do something that would trigger those alarms that I filter out. For some people it may be different because you don't know who is on the inside and maybe somebody might want to scan your internal network to do DOS attacks from the inside. I'm sure it's happened before.
I stumbled on your question because I was looking for the way to reduce the number of alarms so it wouldn't take me 20 minutes to clear them out in CTR. I really don't want to get 30000 alarms from the same IP when I could get just a few that say I got a boat load of TCP SYN Host Sweep's or whatever from this IP. I just thought about it and I'm sure the signature can be tuned to do that so I'm going on my quest to figure that out....
Well it seems that particular signature fires on ordinary web page browsing, so I don't see any option BUT to filter it originating from any internal machines. I sure wish they gave the same flexability to modify existing signatures as they do to creating new ones, then you could atleast attempt to analyze internal traffic patterns to see if you could feasibly tune it to the point of being able to see a legitimate security comporomise with that sig.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :