08-08-2008 11:23 AM - edited 03-10-2019 04:14 AM
We have had numerous TCP SYN Host Sweeps. Could anyone share what could cause the above? Copy of alert details follow.
evIdsAlert: eventId=1216742775473866070 vendor=Cisco severity=informational
originator:
hostId: ips
appName: sensorApp
appInstanceId: 403
time: Aug 08, 2008 19:18:53 UTC offset=-480 timeZone=GMT-08:00
signature: description=TCP SYN Host Sweep id=3030 version=S2
subsigId: 0
marsCategory: Probe/SpecificPorts
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 172.16.5.111 locality=OUT
port: 3958
target:
addr: 69.63.178.11 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 64.62.193.70 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 77.67.127.41 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 64.215.162.27 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 65.55.15.242 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 77.67.127.10 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 69.63.176.167 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 65.242.27.32 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 64.209.118.140 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 77.67.127.25 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 207.200.64.225 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 207.68.179.219 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 65.55.13.158 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 63.217.8.128 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 66.151.244.212 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 207.200.64.161 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ;
riskRatingValue: 31 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 31
interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1
protocol: tcp
Solved! Go to Solution.
08-09-2008 02:55 PM
Sweeps when detected on the LAN are 'mostly' false positives, this is the official word from Cisco:
"Benign Triggers
Host sweep signatures 3030 and 3032 detect behaviors that should not be observed from sources outside the local network but are normal behaviors for sources from within the local network."
You can either filter these signatures from the LAN hosts using Event Action Filters or tune the signature (by using the source/dest. fields inside it).
Regards
Farrukh
08-09-2008 02:55 PM
Sweeps when detected on the LAN are 'mostly' false positives, this is the official word from Cisco:
"Benign Triggers
Host sweep signatures 3030 and 3032 detect behaviors that should not be observed from sources outside the local network but are normal behaviors for sources from within the local network."
You can either filter these signatures from the LAN hosts using Event Action Filters or tune the signature (by using the source/dest. fields inside it).
Regards
Farrukh
08-09-2008 02:58 PM
To answer your original question, for example I have 35+ tabs open in my Firefox browser right now. Lets say I re-open my browser and re-open all these tabs 'at once', or hit the 'reload-all-tabs' button, the IPS will see 35 TCP syns to the same destination port (80) from my source IP. It might consider this a TCP SYN port sweep (on same dest. port). Even tough its just an innocent guy trying to browse the web :).
Regards
Farrukh
08-10-2008 05:03 PM
Farrukh,
Thank you.
Said
04-26-2012 08:09 AM
event_id=1315988670190568856
severity=high
device_name=
app_name=sensorApp
sig_id=1202
subsig_id=0
sig_name=IP Fragment Overrun - Datagram Too Long sig_details=IP Fragment overrun - Datagram too long
sig_version=S212
attacker_ip=10.92.21.120
attacker_port=0
attacker_locality=OUT
victim_ip=6.71.2.110
victim_port=0
victim_os=unknown unknown (relevant)
victim_locality=OUT
event_id=1315988670190568856
severity=high
device_name=
app_name=sensorApp
sig_id=1202
subsig_id=0
sig_name=IP Fragment Overrun - Datagram Too Long sig_details=IP Fragment overrun - Datagram too long
sig_version=S212
attacker_ip=10.92.21.120
attacker_port=0
attacker_locality=OUT
victim_ip=6.71.2.110
victim_port=0
victim_os=unknown unknown (relevant)
victim_locality=OUT
This DOS attack happens from Internal IP to Public IP. Is it a real one ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide