12-21-2004 02:50 PM - edited 03-10-2019 01:12 AM
We noticed that some of the events triggered by signature 4003 (Nmap UDP Port Sweep) look like responses from external DNS servers. The signature description also mentioned about this scenario.
We wish to understand why the signature cannot track corresponding requests and responses, as in the PIX firewall?
Thanks.
12-27-2004 11:11 AM
What IDS appliance are you using? For IDS 42XX appliance, you may refer to the NSDB for more information on the signatures.
Not sure of how PIX tracks both request and responses.
12-29-2004 02:39 PM
We are using IDS-42xx sensors. We have referenced the NSDB, and have followed some of the recommendations for benign triggers. The case we raised is responses from external DNS servers.
We know that PIX logs outgoing DNS requests in translation tables. The PIX ASA together with the DNS Guard feature ensure that there is only 1 response to each outbound DNS request. We are wondering whether IDS can offset the outgoing well-known service requests with incoming responses; and alert only when the net counts exceed the threshold. Is it feasible, and if not, what is the difficulty and limitation. Just want to better understand and use the signature. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide