10-23-2003 02:45 PM - edited 03-09-2019 05:16 AM
My question is on filtering signature #3030 (TCP SYN HOST Sweep). I am seeing alot of events from this signature. When I looked at the NSDB it recommended filtering it out for internal hosts. I feel a little reserved in doing this. I am just curious if this is something people choose to filter to reduce the number of false positives.
THank you for your input
10-25-2003 03:56 PM
What IDS management software are you using?
10-27-2003 09:47 AM
I am using IDS Device Manager.
03-03-2004 09:02 AM
Well in my case yes. I can't believe nobody has answered your question. I filter a lot of alarms that originate from my inside network. This is mainly because I have control of the inside and there is a small number of us so I know we don't have anybody on the inside that would knowingly do something that would trigger those alarms that I filter out. For some people it may be different because you don't know who is on the inside and maybe somebody might want to scan your internal network to do DOS attacks from the inside. I'm sure it's happened before.
I stumbled on your question because I was looking for the way to reduce the number of alarms so it wouldn't take me 20 minutes to clear them out in CTR. I really don't want to get 30000 alarms from the same IP when I could get just a few that say I got a boat load of TCP SYN Host Sweep's or whatever from this IP. I just thought about it and I'm sure the signature can be tuned to do that so I'm going on my quest to figure that out....
Hope my answer helps some.
03-09-2004 12:29 PM
Well it seems that particular signature fires on ordinary web page browsing, so I don't see any option BUT to filter it originating from any internal machines. I sure wish they gave the same flexability to modify existing signatures as they do to creating new ones, then you could atleast attempt to analyze internal traffic patterns to see if you could feasibly tune it to the point of being able to see a legitimate security comporomise with that sig.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide