tcp upper port sweep

darin.marais · ‎07-17-2003

Dear list,

I have generated at report from the security monitor report generator. The report, entitled “IDS Top Alarms Report” includes an alarm description “TCP Upper Port Sweep” once the report has been generated.

If the security event monitor is check/opened at precisely the same time as the event that is generated in the report, there is an alarm TCP high Port Sweep.

My question is:

How do I know that these are the same alarms by Cisco signature id?

I.e. what file determines the alarm description verse the Cisco signature id?

1. On the sensor

2. On the ids mc

I could guess that they are the same but I am not sure that that is the right thing to do.

If they are the same alarm then why is the description that appears in the report different from the security event monitor?

It is the #6 report under the section report > generate that generated the error.

hadbou · ‎07-23-2003

The TCP High Port Sweep signature gives coverage for those, who are running services that run on the non-privileged ports. The number of vulnerable services that typically run on the ports above 1024 are small and are primarily restricted to rpc,nfs, and X traffic.

In general this signature is triggered on receipt of a threshold number of resets coming from high ports on a possible target machine. The destination address for the reset packets is the possible source of attack. On a busy web connection it is common for a user to connect to a server get tired of waiting for a response or for the page to download and move on to another link. The browser at the client end will close down the "high" listening port for any connections that may have been associated with that page. The connections are not always torn down properly though and the server may still respond at a later time to the original request. When that happens the client who is no longer listening will generate a reset packet. Since many connections are established between the client and web server to download the various parts of a web page the resets returned

may exceed the signature threshold and the alarm will fire.

I would recommend that this signature be turned off unless the you are particularly concerned about

random sweeps of high ports on your network. If you are concerned about these types of sweeps for whatever reason then you should first exclude all of your web servers as a source of the alarm. Then as a matter of interpretation of the alarm should check the source of each alarm to see if the source is a web server. If it is a web server the odds are that the alarm is benign in nature.

Hope this helps.

darin.marais · ‎07-24-2003

Thank you very much for your reply. It certainly does help with the evaluation of the signature, however it did not really answer my exact question

The question was as follows.

Why does the description for the alarm differ between the event monitor and the report generated? Although the signature id is the same the description for the alarm differs.

In the report it is TCP “Upper” Port Sweep and the event monitor it is TCP “high” Port Sweep. It not a huge deal but it can be miss leading. I wanted to know where the description is defined on the IDS MC?