- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2007 10:15 AM - edited 03-10-2019 03:45 AM
Hello all,
We recently added a bunch of IPS to our internal networks (we originally only had them on the perimeter). Since we implemented these IPS (running 5.x), we have seen a massive increase in the number of TCP SYN Host Sweeps.
I looked a little further into the traffic, and it appears a lot of it is traffic to port 80 on external addresses (I'm guessing its websites with ads, etc. that are causing most of these ones).
However, there are a great deal of connections going to seemingly arbitrary ports to many different network ranges. The part that worries me the most is that a lot of the SYN sweeps go to internal AND external addresses.
I have been unable to determine the exact cause of the SYN sweeps but it appears that a majority of our clients are doing it.
I am only an intern, so my knowledge (and access to such knowledge) is rather limited.
I was wondering if anyone had any similar experiences? If so, is there a good way to weed out the false positives from the potentially important alerts?
Best Regards,
Ryan
Solved! Go to Solution.
- Labels:
-
IPS and IDS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2007 06:17 AM
We use Intellitactics NSM as our SEM and it works very well for our environment (because it is very programmable and we love to tinker).
I can't remember the exact changes we've made but this is what we have:
#sh conf | begin 3030
signatures 3030 0
engine sweep
unique 50
protocol tcp
storage-key Axxb
specify-port-range yes
port-range 1-24,26-79,81-442,444-2966,2968-65534
The part of this signature that works for us is our platform (NSM) will create an alert when we see 100 of these signatures within a specific time period. That lets us know that some time of scanning is ongoing (note that busy HTTP, DNS, & FTP servers will trigger this sig on return traffic so filtering & profiling is important).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2007 05:25 AM
I think I will take your advice and try to bump it up to 50 or even 100.
Thanks to everyone for the advice!
(Hopefully I won't have to dredge up this topic again!)
- Ryan

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-29-2007 05:03 AM
According to Intellishield...
"Host sweep signatures 3030 and 3032 detect behaviors that should not be observed from sources outside the local network but are normal behaviors for sources from within the local network."

- « Previous
-
- 1
- 2
- Next »