Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SigName: TCP FIN Packet

Dearest list,

Current Signature:

Engine ATOMIC.TCP SIGID 3042

SigName: TCP FIN Packet

Signature 3042 fires a lot when multiple or random IP addresses located in the Internet domain have a destination for local network web server IP address, and port 80. Would the list advice increase the “minhits” parameter of Atomic.TCP engine for this signature?

The alarm appears to fire due to normal reasons and I would like to reduce the amount of times that it fires in order to determine real fin scans. I know that by increasing this value you will run the risk of missing initial port scans.

Is it normal for this alarm with high volumes of traffic and the destination web server?

Regards

2 REPLIES
Bronze

Re: SigName: TCP FIN Packet

Since the alarms are coming from random IP's, setting the MinHits may not help much. The MinHits parameter would be applicable if the same host were sending lots of FYN packets to your web server. If you don't necessarily care about the source address (just that the alarm is firing), I'd recommend setting the AlarmThrottle mode to Summarize. This will give you a summary every 30 seconds of any 3042's that fired. This will reduce your alarm level, but still alert you to any DoS attacks. Regarding port scans, we have other signatures that will catch those. 3042 is more of a strange condition kind of alert.

New Member

Re: SigName: TCP FIN Packet

The alarm is currently set for fireonce. I know that you have suggested summarizing the alarm.

Would one other option be to disable the alarm at the sensor when the destination is the web server’s IP address?

Is this some thing that you would do? Given that there are other alarms in the signature database to detect scans.

I am interested in having/keeping the remote IP addresses and summary would obscure this vision.

Regards

336
Views
0
Helpful
2
Replies