Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3621
Views
0
Helpful
6
Replies

AD - External TCP Scanner Signature

JoseisonX
Level 1
Level 1

‎08-11-2010 09:38 AM - edited ‎03-10-2019 05:05 AM

I am getting several of these from different workstations on my network. I need to find out if this is really a worm outbreak behavior or indeed a false positive.  I changed the attacker IP for this post but they are coming from internal IP's on my network.

Attacker Address

Attacker Port

Target Address

Target Port

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.1

0.0.0.0

443

10.0.0.2

0.0.0.0

443

10.0.0.2

0.0.0.0

443

10.0.0.2

0.0.0.0

443

10.0.0.2

0.0.0.0

443

10.0.0.3

0.0.0.0

80

10.0.0.3

0.0.0.0

80

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.4

0.0.0.0

443

10.0.0.5

0.0.0.0

80

10.0.0.5

0.0.0.0

80

10.0.0.5

0.0.0.0

80

10.0.0.5

0.0.0.0

80

10.0.0.6

0.0.0.0

80

10.0.0.6

0.0.0.0

80

10.0.0.7

0.0.0.0

443

10.0.0.7

0.0.0.0

443

10.0.0.7

0.0.0.0

443

10.0.0.7

0.0.0.0

443

10.0.0.8

0.0.0.0

443

10.0.0.8

0.0.0.0

443

10.0.0.8

0.0.0.0

443

10.0.0.8

0.0.0.0

443

Is this really a behavior of a worm outbreak? Or could it be that the "attackers" are establishing web/ssl connection to targets which is unknown or not tagged as internal zone hence by default, the zone of the target is external. As a result, this signature was fired.

Seek advise/views from the domain experts here. TIA.

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Scott Fringer
Cisco Employee
Cisco Employee

‎08-17-2010 03:55 AM

Joseison;

   These signatures key on hosts that are sending TCP SYN requests to multiple destinations in a single zone and not receiving the expected SYN-ACK in return within a specified time.  The number of scanned destinations in turn crosses the configured/learned scanner threshold.  Therefore it is key that the sensor see both directions of traffic, or there is a risk of false positive detection.

  It is not likely these sources are creating legitimate connections, as the AD engine looks for the lack of the SYN-ACK as an indicator of scanning.  This could be caused by hosts that are performing network management/vulnerability assessment duties.  Again, the one concern is if the sensor is not seeing the return traffic for legitimate connections, and in turn the missing connection response is collected and the sensor considers this a potential worm activity.  Ultimately, you will need to investigate the sources of the alerts (if within your control) to see if they are performing full connections to the destinations (perhaps through the use of Wireshark on the reported hosts).

  You can find out more about the functionality of the anomaly detection engine here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_anomaly_detection.html

Scott

0 Helpful

kiran.raj1
Level 1
Level 1
In response to Scott Fringer

‎10-21-2010 11:58 PM

Scott,

  I am also observing the same Signatures getting fired through my IPS to Dest ports 443 & 5222. I cross checked the source machines and they dont use any scanner applications. Need to know why the destination address are showing as 0.0.0.0 & and the interface name as sy0_0 which is not assigned to any of the interface.

Also can this be an worm activity from my internal zone?

Kiran

0 Helpful

Scott Fringer
Cisco Employee
Cisco Employee
In response to kiran.raj1

‎10-22-2010 05:47 AM

Kiran;

  Yes, there is potential that these signature events indicate worm activity.  The destination addresses are 0.0.0.0 as the sensor is only tracking the SYN activity from the hosts; it is not necessary to track the destination addresses.  The hosts in question do not need to be restricted to using a scanning application to trigger this signature; it is simply a potential source for false positives.  It is also the "scanning" software is a worm looking for potential hosts to infect.

It is also possible if the IPS is only seeing one direction of traffic (asymmetric traffic flows) and does not see the return SYN-ACK that these signatures will fire.  In such an environment it is usually necessary to disable the anomaly detection engine or work to correct the asymmetric traffic flow.

Scott

0 Helpful

kiran.raj1
Level 1
Level 1
In response to Scott Fringer

‎10-22-2010 06:02 AM

Scott,

  Thanks a ton for updating me. Can you also let me know why this signature information shows an interface name as something which is not configured in my network.  This is confusing me a lot as other signatures carry the exact interface name that is assigned in the network

Kiran

0 Helpful

Scott Fringer
Cisco Employee
Cisco Employee
In response to kiran.raj1

‎10-22-2010 06:08 AM

Kiran;

  The information is tracked across all interfaces, and therefore is not limited to a single interface.  The system simply summarizes to a system interface based on the signature firing logic- the detection is specific to the source IP address only.

Scott

0 Helpful

kiran.raj1
Level 1
Level 1
In response to Scott Fringer

‎10-22-2010 10:52 PM

Scott,

  Thanks a lot. Thanks for putting me right.

Kiran

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card