https://community.cisco.com/t5/network-security/tcp-sys-host-sweep/m-p/545230#M98358 <HTML><HEAD></HEAD><BODY><P>Any ideas before the weekend?</P></BODY></HTML> Fri, 04 Aug 2006 14:55:16 GMT DFiore 2006-08-04T14:55:16Z https://community.cisco.com/t5/network-security/tcp-sys-host-sweep/m-p/545229#M98356 <P>Seems like whenever a mail server connects and does a mass mailing to customers I see this sig fire.</P><P></P><P>I also see the sig fire when "certain" users surf to websites with tracking cookies (DoubleClick, Akamai, etc.) </P><P></P><P>According to the Sig DB at MySDN, this sig is benign as long as the traffic seen is internal.</P><P></P><P>Is this the case?</P> Sun, 10 Mar 2019 10:08:48 GMT https://community.cisco.com/t5/network-security/tcp-sys-host-sweep/m-p/545229#M98356 DFiore 2019-03-10T10:08:48Z https://community.cisco.com/t5/network-security/tcp-sys-host-sweep/m-p/545230#M98358 <HTML><HEAD></HEAD><BODY><P>Any ideas before the weekend?</P></BODY></HTML> Fri, 04 Aug 2006 14:55:16 GMT https://community.cisco.com/t5/network-security/tcp-sys-host-sweep/m-p/545230#M98358 DFiore 2006-08-04T14:55:16Z https://community.cisco.com/t5/network-security/tcp-sys-host-sweep/m-p/545231#M98359 <HTML><HEAD></HEAD><BODY><P>Do you mean TCP SYN Host sweep (3030-0)? I never really found it to be a useful signature, mostly because it doesn't report the port(s) being scanned. It is prone to false positives as well since it will fire on return traffic (like to an HTTP proxy for example). Filtering can fix that if you're so inclined.</P><P></P><P>see these threads:</P><P></P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddabf56" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddabf56</A></P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;CommCmd=MB?cmd=pass_through&amp;location=outline" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;CommCmd=MB?cmd=pass_through&amp;location=outline</A>@^1@@.1dd99469</P><P></P></BODY></HTML> Fri, 04 Aug 2006 15:13:30 GMT https://community.cisco.com/t5/network-security/tcp-sys-host-sweep/m-p/545231#M98359 mhellman 2006-08-04T15:13:30Z https://community.cisco.com/t5/network-security/tcp-sys-host-sweep/m-p/545232#M98360 <HTML><HEAD></HEAD><BODY><P>Thanks Matt,</P><P></P><P>I'll look at the threads and consider filtering out the fires I can explain (proxy server, email, etc.)</P><P></P><P>Have a good weekend...</P><P></P><P>David</P></BODY></HTML> Fri, 04 Aug 2006 17:41:19 GMT https://community.cisco.com/t5/network-security/tcp-sys-host-sweep/m-p/545232#M98360 DFiore 2006-08-04T17:41:19Z