Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
0
Helpful
2
Replies

Tuning Sig 4003 - UDP port sweeps

cknott
Level 1
Level 1

‎11-11-2004 06:15 AM - edited ‎03-09-2019 09:24 AM

How can i tune signature 4003 to filter out sweeps sourced by udp port 53,88,389.. etc?

Labels:
0 Helpful
2 Replies 2

sachinraja
Level 9
Level 9

‎11-16-2004 10:37 PM

Hello,

you can normally filter the whole signature using the event filter menu. Unfortunately, you cannot filter the signature based on source/dest port numbers.. filtering can be done with the following parameters:

1) signature id

2) subsignature id

3) source IP

4) destination IP

In addition to this, there is a signature configuration wizard on IDM, where you can configure new signatures based on source port/dest port/source IP / dest IP, but am not sure if you can remove or filter ports on an already existing signature given by cisco. i dont think this is possible..

All the best !!

0 Helpful

ktimm
Level 1
Level 1
In response to sachinraja

‎11-17-2004 11:41 AM

You can filter out src and dst IP's based on what they are doing. You can also change the port list on the IDS sig which is currently 1-1023 to be something like 1-52;54-87;89-160;163-387;390-1023.

Or you can alert on data post some pre-analysis engine that has the ability to filter out events based on port.

0 Helpful
Customers Also Viewed These Support Documents