Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

TCP High Port Sweep false positive

We're seeing a ton of false positives for sig 3010 TCP High Port Sweep. We've reviewed the flows in question and they are valid sessions, not attacks. Upon reviewing the details of the event, we see that the according to NetRanger, the source port for the packets are 0 (zero). It appears that NetRanger is unable to match the packet to the outbound session that it's related to. We were thinking there might be a bug that's corrupting the source port during packet capture? Is there a configuration error that can explain this condition?

Thanks for any assistance

1 REPLY
Cisco Employee

Re: TCP High Port Sweep false positive

This is not an unusual occurrence. A user that connects to a webserver could cause what appears to be a High port sweep directed from the Web Server bound to the client. This is just one instance of the possible ways a benign event can cause this problem. Most often web servers are the benign generators of this alarm.

If you are seeing zero listed as the source port this probably indicates that you are looking at an aggregated alarm notification. This means that you are viewing the results of taking several alarms of this type and lumping them together. When this occurs the source port information of the individualo events are lost (since the alarm is the aggregation of several alarms that probably originated from different source ports).

KLW

412
Views
0
Helpful
1
Replies
CreatePlease to create content