https://community.cisco.com/t5/network-security/cisco-ips-condition-for-tcp-null-packet/m-p/2429123#M45555 <P>What are the conditions for this event to trigger ? does it trigger even if there is one packet without any of the flags syn, ack,fin,rst or if there are 10 in 50 packets without the flags set ?&nbsp;</P> Sun, 10 Mar 2019 13:12:02 GMT Shadowknight14 2019-03-10T13:12:02Z https://community.cisco.com/t5/network-security/cisco-ips-condition-for-tcp-null-packet/m-p/2429123#M45555 <P>What are the conditions for this event to trigger ? does it trigger even if there is one packet without any of the flags syn, ack,fin,rst or if there are 10 in 50 packets without the flags set ?&nbsp;</P> Sun, 10 Mar 2019 13:12:02 GMT https://community.cisco.com/t5/network-security/cisco-ips-condition-for-tcp-null-packet/m-p/2429123#M45555 Shadowknight14 2019-03-10T13:12:02Z https://community.cisco.com/t5/network-security/cisco-ips-condition-for-tcp-null-packet/m-p/2429124#M45556 <P>Benign trigger states&nbsp;</P><P><SPAN style="color: rgb(0, 0, 0); font-family: Arial; font-size: 12px; line-height: normal;">This alarm may fire if large amounts of random network traffic are transmitted across the network, such as during a denial of service attack. To reduce number of unverifiable alarms being generated, this signature will begin throttling the creation of new alarms if more than one event of this type is detected per second. The first alarm will be sent, but all subsequent alarms will be summarized and periodically reported. The summarization alarm will report NULL IP addresses / port numbers and will contain this message in the data field, Global Summary: XX alarms this interval, where XX is the number of alarms received and summarized.</SPAN></P> Sun, 18 May 2014 11:30:56 GMT https://community.cisco.com/t5/network-security/cisco-ips-condition-for-tcp-null-packet/m-p/2429124#M45556 Shadowknight14 2014-05-18T11:30:56Z https://community.cisco.com/t5/network-security/cisco-ips-condition-for-tcp-null-packet/m-p/2429125#M45557 <P>Hello Shadowknight14,</P><P>I presume you are talking about Cisco IPS signature 3040-0?<BR />Essentially, that signature is defined as</P><P><SPAN style="font-family:courier new,courier,monospace;">atomic-ip/fragment-status : no-fragments<BR />atomic-ip/l4-protocol/tcp/dst-port : 1-1024<BR />atomic-ip/l4-protocol/tcp/tcp-flags:<BR />atomic-ip/l4-protocol/tcp/tcp-mask : urg|ack|psh|rst|syn|fin<BR />alert-frequency/summary-mode/fire-once/global-summary-threshold : 200<BR />alert-frequency/summary-mode/fire-once/summary-interval : 30</SPAN></P><P>If you look at the Atomic-IP section of <A href="http://www.cisco.com/web/about/security/intelligence/ips_custom_sigs.html#6">http://www.cisco.com/web/about/security/intelligence/ips_custom_sigs.html#6</A><BR />you'll see the description of tcp-flags and tcp-mask parameters.</P><P>The flags in the packet are compared for equality to the tcp-flags &amp; tcp-mask<BR />so the above is<BR /><SPAN style="font-family:courier new,courier,monospace;">&nbsp;&nbsp;&nbsp; tcp-flags 000000<BR />and tcp-mask&nbsp; 111111<BR />&nbsp;&nbsp;&nbsp; ----------------<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 000000</SPAN></P><P>so if your packet does not have 000000 for its flags, it won't trigger the packet.</P><P>In English, sig 3040-0 is going to fire on any TCP packets destined to the privileged ports 1-1024 but lacking all 6 TCP flags.</P><P>The summary settings mean that it will fire up to 1 time per 30 seconds per attacker (until it hits the global summary threshold of 200 events, at which time you switch to global-summary mode which summarizes all attackers once per interval).</P> Tue, 20 May 2014 17:39:39 GMT https://community.cisco.com/t5/network-security/cisco-ips-condition-for-tcp-null-packet/m-p/2429125#M45557 shepp 2014-05-20T17:39:39Z