08-27-2008 10:58 AM - edited 03-11-2019 06:36 AM
I have an ASA, and an IPS, and am monitoring the segments that terminate on the inside and outside interfaces of the ASA with the IPS. I keep seeing udp and tcp sweeps coming from the outside interface of the firewall and a couple hosts on the inside. The outside IP address sweeps are probably hosts on the inside since PAT is configured, althought the timestamps don't match any alerts for the inside hosts doing the sweeps. Has anyone seen this behavior in their environment? I don't think it's a worm, but I can't find any references indicating examples of legitimate traffic matching this sort of pattern.
thank you,
Bill
08-27-2008 11:43 PM
This is one of the chatty signatures in the Cisco IPS. It is usually recommended to disable it for internal IPs. Or you can tune it to increase the TCP SYN threshold.
For more details have a look at this post:
Regards
Farrukh
08-28-2008 05:00 AM
thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: