Strange sig 3030 from our Netscreen untrusted interface
Our Cisco Secure IDS (that lives outside the firewall) is picking up some strange traffic off one of our Netscreen Firewalls. The Src addresses are the un-trusted interface addresses assigned to the Netscreen. Has any one seen something like this before? Is it a bug or am I seeing something interesting?
Date Sensor Signature Sub Sig Description Severity Src Address Src Port Dst Address Dst Port
Re: Strange sig 3030 from our Netscreen untrusted interface
Is your FireWall running NAT?
If so then multiple clients are connecting to different web servers (or ftp servers).
This simulates a single ip address sending SYN packets to multiple detination addresses which is considered a TCP SYN Host Sweep.
I would reccomend Excluding your NAT addresses as the source of this alarm.
If you have done that, and the alarm is still firing then you are seeing a known bug in IDS.
The alarm has gone into Summary Mode, and that is likely why the destination addresses are 0.0.0.0 in your alarms. Look in the alarm detail field to see if it says Summary.
The exclude code has a problem when the alarm goes into summary mode because it is unable to match properly on the 0.0.0.0 address we use in Summary mode.
You can either use SigWizMenu and change this signature to use FireOnce mode rather than FireAll or Summary, or you can add an extra Exclude line with the NAT addresses as the Src and the word OUT as the destination.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :