We're seeing a ton of false positives for sig 3010 TCP High Port Sweep. We've reviewed the flows in question and they are valid sessions, not attacks. Upon reviewing the details of the event, we see that the according to NetRanger, the source port for the packets are 0 (zero). It appears that NetRanger is unable to match the packet to the outbound session that it's related to. We were thinking there might be a bug that's corrupting the source port during packet capture? Is there a configuration error that can explain this condition?
This is not an unusual occurrence. A user that connects to a webserver could cause what appears to be a High port sweep directed from the Web Server bound to the client. This is just one instance of the possible ways a benign event can cause this problem. Most often web servers are the benign generators of this alarm.
If you are seeing zero listed as the source port this probably indicates that you are looking at an aggregated alarm notification. This means that you are viewing the results of taking several alarms of this type and lumping them together. When this occurs the source port information of the individualo events are lost (since the alarm is the aggregation of several alarms that probably originated from different source ports).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :