Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1016
Views
0
Helpful
3
Replies

sig 3030 (TCP SYN Host Sweep) - no dest port?

mhellman
Level 7
Level 7

‎10-25-2005 10:20 AM - edited ‎03-10-2019 01:42 AM

5.x sensor, as viewed from the event monitoring directly on the sensor.

sig 3030 events do not seem to include the actual destination port. This seems rather strange given the description of the signature. Is this normal? Am I misunderstanding the NSDB description below?

"Description: Triggers when a series of TCP SYN packets have been sent to the same destination port on a number of different hosts. This could, for example, be a sweep of many hosts to find out which ones can receive mail or telnet sessions."

Labels:
0 Helpful
3 Replies 3

rupadras
Cisco Employee
Cisco Employee

‎10-25-2005 01:40 PM

You are right, this is a bug. The current 5.x version of sig 3030 does not include the destination port. The Summary Key should be set to Axxb (instead of Axxx) to include the actual destination port. A modified signature will be released with the next signature update. Thank you for bringing this to our attention.

0 Helpful

rupadras
Cisco Employee
Cisco Employee
In response to rupadras

‎10-26-2005 10:11 AM

Upon further investigation, I have found that the existing parameters for sig 3030 are correct. It is the NSDB that is misleading. A sweep sig will behave as "Host Sweep" if you use the storage-key (not summary-key) as Axxx. If it is Axxb it becomes "Service Sweep". My earlier reply was wrong. The NSDB has been corrected. I am sorry for the confusion.

Please let us know if you have any more questions.

0 Helpful

mhellman
Level 7
Level 7
In response to rupadras

‎10-27-2005 05:07 AM

I think what your saying is that sig 3030 detects a SYN scan against multiple hosts, regardless of ports. That may be too vague. There are two different types of SYN scans I might want to alert on:

scenario 1:

SYN scan against multiple hosts on a single port (looking for SMTP servers for example).

scenario 2:

SYN scan against multiple hosts on multiple ports.

The above signature will fire on both right, but it won't show ports in either case? Is there a more specific signature that will fire on scenario 1 (much like the previous description for 3030), and show the port? Somebody must have been a least thinking about this when they wrote the description:

"Description: Triggers when a series of TCP SYN packets have been sent to the same destination port on a number of different hosts. This could, for example, be a sweep of many hosts to find out which ones can receive mail or telnet sessions."

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card