Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
992
Views
0
Helpful
7
Replies

Half-Syn open

teperjesi
Level 1
Level 1

‎12-05-2004 03:28 AM - edited ‎03-10-2019 01:10 AM

Hi,

Can somebody tell me, if the Half-Syn open will fire only, when the client doesn't send the final handshake ACK or it fires when the server doens't send the SYN,ACK packet too?

Can somebody tell me the treshold value-s for this signature? I meen, how long the IDS waits, befor rates it as a Syn attack?

It is true, that I can tunning this signature?

Regard:

Tamas

Labels:
0 Helpful
7 Replies 7

nkhawaja
Cisco Employee
Cisco Employee

‎12-05-2004 11:57 AM

Hi,

I think it fireup if server doesnot get the final ACK back from the client.

If the IDS doesnot see "SYN - ACK" then, it is SYN attack.

The thresholds can be changed.

Thanks

Nadeem

0 Helpful

teperjesi
Level 1
Level 1
In response to nkhawaja

‎12-05-2004 01:09 PM

Hi,

thanks for the answer.

Can you tell me, how can i adjust the thresholds?

Can I made this through VMS or CLI?

Regards:

Tamas

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to teperjesi

‎12-05-2004 01:25 PM

if you use VMS to manage the sensors, then adjust those thresholds from VMS.

0 Helpful

teperjesi
Level 1
Level 1
In response to nkhawaja

‎12-05-2004 02:23 PM

Hi,

The engine for the Half-open Syn attack is 'Other' and the VMS tells me, that "Tunning of this signature engine is currently not supported".

?

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to teperjesi

‎12-05-2004 03:05 PM

i am using IDSMC 2.0 and i am able to tune this signature.

0 Helpful

darin.marais
Level 4
Level 4

‎12-06-2004 08:35 AM

That is very interesting, as I am able to confirm that it was not possible tune the “other engine” in version 1.2 of the IDSMC.

Perhaps someone can confirm this for me but I think that one thing to make especially sure of with this signature is that you do not have duplicate SYN requests with single Syn-Ack replies or even “no replies” in the data that you are sending to the monitor interface of the SPAN session as this could also lead to problems.

“Duplicate Traffic

In some configurations, SPAN sends multiple copies of the same source traffic to the destination port. For example, in a configuration with a bidirectional SPAN session (both ingress and egress) for two SPAN sources, called s1 and s2, to a SPAN destination port, called d1, if a packet enters the switch through s1 and is sent for egress from the switch to s2, ingress SPAN at s1 sends a copy of the packet to SPAN destination d1 and egress SPAN at s2 sends a copy of the packet to SPAN destination d1. If the packet was Layer 2 switched from s1 to s2, both SPAN packets would be the same. If the packet was Layer 3 switched from s1 to s2, the Layer-3 rewrite would alter the source and destination Layer 2 addresses, in which case the SPAN packets would be different.”

Reference: http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080179597.html#1040560

0 Helpful

nickbruno
Level 1
Level 1

‎01-05-2005 08:38 AM

Hi,

This question is related to Half-open Syn and if anyone has experienced anything issues or false-positives with Cisco CSS?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card