Signature 3042 fires a lot when multiple or random IP addresses located in the Internet domain have a destination for local network web server IP address, and port 80. Would the list advice increase the minhits parameter of Atomic.TCP engine for this signature?
The alarm appears to fire due to normal reasons and I would like to reduce the amount of times that it fires in order to determine real fin scans. I know that by increasing this value you will run the risk of missing initial port scans.
Is it normal for this alarm with high volumes of traffic and the destination web server?
Since the alarms are coming from random IP's, setting the MinHits may not help much. The MinHits parameter would be applicable if the same host were sending lots of FYN packets to your web server. If you don't necessarily care about the source address (just that the alarm is firing), I'd recommend setting the AlarmThrottle mode to Summarize. This will give you a summary every 30 seconds of any 3042's that fired. This will reduce your alarm level, but still alert you to any DoS attacks. Regarding port scans, we have other signatures that will catch those. 3042 is more of a strange condition kind of alert.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...