cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
418
Views
0
Helpful
4
Replies

Question on filtering sigID3030

brecore
Level 1
Level 1

My question is on filtering signature #3030 (TCP SYN HOST Sweep). I am seeing alot of events from this signature. When I looked at the NSDB it recommended filtering it out for internal hosts. I feel a little reserved in doing this. I am just curious if this is something people choose to filter to reduce the number of false positives.

THank you for your input

4 Replies 4

lwierenga
Level 1
Level 1

What IDS management software are you using?

I am using IDS Device Manager.

intertechusa
Level 1
Level 1

Well in my case yes. I can't believe nobody has answered your question. I filter a lot of alarms that originate from my inside network. This is mainly because I have control of the inside and there is a small number of us so I know we don't have anybody on the inside that would knowingly do something that would trigger those alarms that I filter out. For some people it may be different because you don't know who is on the inside and maybe somebody might want to scan your internal network to do DOS attacks from the inside. I'm sure it's happened before.

I stumbled on your question because I was looking for the way to reduce the number of alarms so it wouldn't take me 20 minutes to clear them out in CTR. I really don't want to get 30000 alarms from the same IP when I could get just a few that say I got a boat load of TCP SYN Host Sweep's or whatever from this IP. I just thought about it and I'm sure the signature can be tuned to do that so I'm going on my quest to figure that out....

Hope my answer helps some.

mattgioia
Level 1
Level 1

Well it seems that particular signature fires on ordinary web page browsing, so I don't see any option BUT to filter it originating from any internal machines. I sure wish they gave the same flexability to modify existing signatures as they do to creating new ones, then you could atleast attempt to analyze internal traffic patterns to see if you could feasibly tune it to the point of being able to see a legitimate security comporomise with that sig.