Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1193
Views
0
Helpful
2
Replies

UDP Port Sweep

roxanne.tsui
Level 1
Level 1

‎12-21-2004 02:50 PM - edited ‎03-10-2019 01:12 AM

We noticed that some of the events triggered by signature 4003 (Nmap UDP Port Sweep) look like responses from external DNS servers. The signature description also mentioned about this scenario.

We wish to understand why the signature cannot track corresponding requests and responses, as in the PIX firewall?

Thanks.

Labels:
0 Helpful
2 Replies 2

vkapoor5
Level 5
Level 5

‎12-27-2004 11:11 AM

What IDS appliance are you using? For IDS 42XX appliance, you may refer to the NSDB for more information on the signatures.

Not sure of how PIX tracks both request and responses.

0 Helpful

roxanne.tsui
Level 1
Level 1
In response to vkapoor5

‎12-29-2004 02:39 PM

We are using IDS-42xx sensors. We have referenced the NSDB, and have followed some of the recommendations for benign triggers. The case we raised is responses from external DNS servers.

We know that PIX logs outgoing DNS requests in translation tables. The PIX ASA together with the DNS Guard feature ensure that there is only 1 response to each outbound DNS request. We are wondering whether IDS can offset the outgoing well-known service requests with incoming responses; and alert only when the net counts exceed the threshold. Is it feasible, and if not, what is the difficulty and limitation. Just want to better understand and use the signature. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card