Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
0
Helpful
3
Replies

TCP SYS Host Sweep

Go to solution
DFiore
Level 1
Level 1

‎08-02-2006 10:56 AM - edited ‎03-10-2019 03:08 AM

Seems like whenever a mail server connects and does a mass mailing to customers I see this sig fire.

I also see the sig fire when "certain" users surf to websites with tracking cookies (DoubleClick, Akamai, etc.)

According to the Sig DB at MySDN, this sig is benign as long as the traffic seen is internal.

Is this the case?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mhellman
Level 7
Level 7
In response to DFiore

‎08-04-2006 08:13 AM

Do you mean TCP SYN Host sweep (3030-0)? I never really found it to be a useful signature, mostly because it doesn't report the port(s) being scanned. It is prone to false positives as well since it will fire on return traffic (like to an HTTP proxy for example). Filtering can fix that if you're so inclined.

see these threads:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddabf56

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB?cmd=pass_through&location=outline@^1@@.1dd99469

View solution in original post

0 Helpful
3 Replies 3

Go to solution
DFiore
Level 1
Level 1

‎08-04-2006 07:55 AM

Any ideas before the weekend?

0 Helpful

Go to solution
mhellman
Level 7
Level 7
In response to DFiore

‎08-04-2006 08:13 AM

Do you mean TCP SYN Host sweep (3030-0)? I never really found it to be a useful signature, mostly because it doesn't report the port(s) being scanned. It is prone to false positives as well since it will fire on return traffic (like to an HTTP proxy for example). Filtering can fix that if you're so inclined.

see these threads:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddabf56

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB?cmd=pass_through&location=outline@^1@@.1dd99469

0 Helpful

Go to solution
DFiore
Level 1
Level 1
In response to mhellman

‎08-04-2006 10:41 AM

Thanks Matt,

I'll look at the threads and consider filtering out the fires I can explain (proxy server, email, etc.)

Have a good weekend...

David

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card