Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1377
Views
0
Helpful
6
Replies

TCP FIN Host Sweep

cholars
Level 1
Level 1

‎06-24-2008 11:40 AM - edited ‎03-10-2019 04:09 AM

Hello Guys,

I need help here. We are getting numerous number of incident in one of our CS-MARS regarding Scans-Stealth system rule. This rule triggered by event type TCP FIN Host Sweep. The source ip's were internal our network and destined to external ip's of telco and other sites. One of the notable site is yahoo.com. I'm just wondering what causing these alerts to trigger, P2P or streaming?

According to this signature

TCP FIN Host Sweep

Benign Trigger(s):

The host sweep signatures 3030 and 3032 detect behaviors that should not be observed from sources outside the local network but are normal behaviors for sources from within the local network.

Recommended filters:

Exclude internal networks as sources.

Based on the signature this alert is not malicious unless the source ip is external. So, is it ok to tune this out or leave it and then always monitor? Sometimes it's quite annoying though.

Labels:
0 Helpful
6 Replies 6

andrgrif
Level 1
Level 1

‎06-24-2008 04:25 PM

Hello,

Without more information it's hard to say why the alerts are being triggered, but in general, network scanning or p2p could easily trigger (internal -> external) trigger those signatures.

Tuning those signatures would be an appropriate course of action in my opinion.

0 Helpful

sporcello
Level 1
Level 1

‎06-25-2008 06:50 AM

We are having the same issue, except with the TCP SYN Host Sweep (3030) alert. The signature explanation page suggests to filter out internal addresses as the source, but we have not for a reason: this is a good way to detect a worm within the network.

What we have done in the past is tune the threshold that triggers the signature. However with E2 engine update and signature updates, this signature has begun to fire excessively again. We will probably tune it again by increasing the threshold to a point where it will not give us an excessive amount of alerts.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-25-2008 07:19 AM

Yes this is one of the 'chatty' signatures. You can either follow the Cisco recommendation:

Recommended filters:

Exclude internal networks as sources.

Or filter the signature on the IPS to increase the thresholds as others have suggested. But to be honest there are more accurate/better ways to detect worms on IPS 6.x like 'Anomaly Detection' than these signatures (if that is the motivation to not filter internal IPs).

Regards

Farrukh

0 Helpful

cholars
Level 1
Level 1
In response to Farrukh Haroon

‎06-25-2008 01:04 PM

Thank guys for your help. But if we increase the threshold of this signature and filter this out we will not able to detect some P2P activity. We are monitoring schools network and we all know that most of the student use P2P for sharing files. Some of the P2P activity will not resembles a P2P alerts in MARS but most of them trigger this Scans-Stealth rule with event type TCP Fin Host Sweep.

Mahalo,

Carlou

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to cholars

‎06-25-2008 11:26 PM

So how to you want to procced with this?

Regards

Farrukh

0 Helpful

cholars
Level 1
Level 1
In response to Farrukh Haroon

‎06-25-2008 11:52 PM

We haven't decided yet. Most probably we will continue to monitor this event and not tuning this out. Our client wants to see P2P activity and to know who's using P2P clients so they can uninstall it in their workstation.

Mahalo,

Carlou

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card