Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
884
Views
4
Helpful
5
Replies

Tuning sweep signature 3030 - TCP SYN Host Sweep

m-hansson
Level 1
Level 1

‎11-03-2006 06:04 AM - edited ‎03-10-2019 03:18 AM

I want this signature to have the old behaviour as it had in 4.x. So I changed the Keys from Axxx to Axxp. Also I wanted to exclude port 80 and 443 entirely, so I added 0-79,81-442,444-65535 to Port Range.

This does not seem to work. The following scenario triggers alarms:

- Packets from one host towards 50 different target hosts.

- The destination ports are always 80, 443 and one randomly selected port above 1023 (different on each host).

How come I get alarms? I'm I doing something wrong here or is there a workaround?

Regards,

M

Labels:
0 Helpful
5 Replies 5

scothrel
Level 3
Level 3

‎11-03-2006 11:08 AM

This sounds like a known bug in the Sweep config tuning. One workaround is to create a custom Sweep signature and set it up to mimic 3030 with your tweaks. Try that and see if you can get it to work like you want.

We have someone trying to find the bug ID to see what the official workaround is.

0 Helpful

scothrel
Level 3
Level 3
In response to scothrel

‎11-03-2006 02:54 PM

This is a known false positive being tracked in our database. The bug id is CSCse01405.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCse01405

From that bugid report the workaround is:

Change any parameter in another sig on the Axxx storage-key. Example: set sig 3052 enabled.

Basically the change to the Axxb is getting recorded but is not triggering the appropriate update to the Axxx storage key.

m-hansson
Level 1
Level 1
In response to scothrel

‎11-06-2006 08:58 AM

Ok, thanks.

This brings up another issue, with CiscoWorks. Perhaps you are not that involved in CW development.

The issue is that when we perform a signature update our specific signature settings gets wiped (for the sweep engine signatures). Settings like IP protocol and which ports to monitor. Also the "Unique" setting is wiped.

This applies to both the 3030 signature and any custom sweep signature we make.

We are running version 2.2 with Service Pack 1.

Is this also a known bug? Workaround?

Regards,

M

0 Helpful

RichardSW
Level 1
Level 1
In response to m-hansson

‎11-06-2006 11:09 AM

We have that same exact problem, in fact I was going to put in a TAC case for this.

We are running VMS 2.3 with Security Monitor 2.2

I have been tuning signatures globally, by group, and by sensor. I just found out that after an automatic signature update, all of my tuning is overwritten. The only workaround I have is to put in Sig Event Action Filters instead. But I don't think that helps with the overhead of leaving overzealous signatures untuned.

0 Helpful

scothrel
Level 3
Level 3
In response to RichardSW

‎11-08-2006 10:41 AM

I've not heard of your issue, but then as it was supposed, its outside of my area of expertise. I have brought this thread to the attention of one of the MC support guys. Hopefully he'll review this thread shortly.

Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card