https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529539#M90278 <HTML><HEAD></HEAD><BODY><P>I noticed the same thing between our sensors running v4.1(5)S201 against our v5.1(1e)S237 sensors. The v4 sensors do store the victim port number.</P><P></P><P>Checking sig 3030 on the v4 sensor, the storage-key is indeed Axxb.</P></BODY></HTML> Fri, 07 Jul 2006 17:29:23 GMT npham 2006-07-07T17:29:23Z https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529530#M90269 <P>With SecMon 2.2, the TCP SYN Host Sweep (3030.0) fails to display the victim&#146;s port in the console. The console shows &lt;n/a&gt; in the port field. The sensors are at version 5.1.1p1. The command &#147;Show Events Alert Info&#148; on the sensor reveals that the destination port is not capture by the sensor event.</P><P></P><P>upgrade history of the sensor:</P><P></P><P>* IPS-sig-S221-minreq-5.0-5 </P><P> IPS-K9-patch-5.1-1p1.pkg</P><P></P><P>Is there a reason for no longer capturing the destination porton this signature? </P><P></P> Sun, 10 Mar 2019 09:55:56 GMT https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529530#M90269 darin.marais 2019-03-10T09:55:56Z https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529531#M90270 <HTML><HEAD></HEAD><BODY><P>Was it capturing the port information *prior* to p1 or the last update applied? I'm just trying to get a grasp on if this is an issue with an update or maybe you just noticed it now and are wondering about how/why it disaplys what it does.</P></BODY></HTML> Fri, 17 Mar 2006 18:28:55 GMT https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529531#M90270 wsulym 2006-03-17T18:28:55Z https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529532#M90271 <HTML><HEAD></HEAD><BODY><P>The reason it does not show an IP address is that a host sweep, by definition, hits a bunch of hosts. I believe the raw alarm has 0.0.0.0 as the ip address; sounds like SecMon is changing this to n/a (correctly I would say).</P><P>I don't remember this alarm ever displaying all of the destination IPs.</P><P></P></BODY></HTML> Fri, 17 Mar 2006 21:28:59 GMT https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529532#M90271 scothrel 2006-03-17T21:28:59Z https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529533#M90272 <HTML><HEAD></HEAD><BODY><P>i dont have a problem with the destination ip address, its the destination port that is not displayed. i can understand not having all of the destination hosts as this may be summerised but the destination port should remain constant across all of the hosts&gt;&gt;&gt;</P></BODY></HTML> Sun, 19 Mar 2006 01:09:55 GMT https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529533#M90272 darin.marais 2006-03-19T01:09:55Z https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529534#M90273 <HTML><HEAD></HEAD><BODY><P>looks like i have the answer to my own question:</P><P></P><P>the answer is to modify the signature "storage key" to "attacker address and victim port". the default is only attackers address.</P></BODY></HTML> Mon, 20 Mar 2006 13:28:26 GMT https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529534#M90273 darin.marais 2006-03-20T13:28:26Z https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529535#M90274 <HTML><HEAD></HEAD><BODY><P>I'm not sure it ever did capture the port. See my post from back in October:</P><P></P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd99469" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd99469</A></P><P></P><P>Somebody from Cisco tried to explain it to me...but it doesn't make a lot of sense. Cisco did update the MySDN information to only say:</P><P></P><P>"This signature fires when a series of TCP SYN packets have been sent from one single host to a number of different hosts. This could, for example, be an attempt to map the network..."</P><P></P><P>I'm not sure about SecMon, but the Cisco Event Viewer NSDB copies do not match MySDN. This is unfortunate because MySDN is a pain to use.</P></BODY></HTML> Wed, 22 Mar 2006 15:48:15 GMT https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529535#M90274 mhellman 2006-03-22T15:48:15Z https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529536#M90275 <HTML><HEAD></HEAD><BODY><P>It actually goes a little bit further than that, changing the storage key changes the behavior somewhat.</P><P></P><P>The 5.x sweep engine provides coverage for the following types of sweeps:</P><P></P><P>Host (Axxx)</P><P>Port (AxBx)</P><P>Service (Axxb)</P><P></P><P>If you change the 'storage-key' (NOT summary-key) from Axxx to Axxb the sigs will change behavior from a "host sweep" to a "service sweep". So more than just changing what the alert reports, you are also changing the sweep trigger. </P><P></P><P>Your change may be okay if that is the desired behavior.</P><P></P><P>Note that a service sweep will typically fire less than a host sweep because it is more restrictive (i.e. only counts unique on a specific port instead of any port).</P></BODY></HTML> Wed, 22 Mar 2006 16:08:00 GMT https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529536#M90275 wsulym 2006-03-22T16:08:00Z https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529537#M90276 <HTML><HEAD></HEAD><BODY><P>Is this ICMP traffic? If it's an ICMP packet then the port destination will be displayed as 0.</P><P></P><P>It will look like this:</P><P></P><P>192.168.1.1/0</P></BODY></HTML> Thu, 23 Mar 2006 19:54:38 GMT https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529537#M90276 normalit 2006-03-23T19:54:38Z https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529538#M90277 <HTML><HEAD></HEAD><BODY><P>This signature had me checking access-lists trying to figure out how TCP port 0 was getting to the hosts in the alert.</P><P></P><P>I agree that with the description of the signature that the port would be known and displayable.</P><P></P><P>FYI...CS-MARS displays the port as TCP/0 as well.</P></BODY></HTML> Fri, 07 Jul 2006 12:04:12 GMT https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529538#M90277 MARK BAKER 2006-07-07T12:04:12Z https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529539#M90278 <HTML><HEAD></HEAD><BODY><P>I noticed the same thing between our sensors running v4.1(5)S201 against our v5.1(1e)S237 sensors. The v4 sensors do store the victim port number.</P><P></P><P>Checking sig 3030 on the v4 sensor, the storage-key is indeed Axxb.</P></BODY></HTML> Fri, 07 Jul 2006 17:29:23 GMT https://community.cisco.com/t5/network-security/tcp-syn-host-sweep-at-5-1-1p1/m-p/529539#M90278 npham 2006-07-07T17:29:23Z