Cisco IDS TCP Port Sweep Signatures

Hello all,

Trying to get some clarification on Cisco IDS/IPS Signatures for TCP Port Sweeps.

Signature 3001 "TCP Port Sweep" reads as follows:

"Triggers when a series of TCP connections to a number of different privileged ports (having port number less than 1024) on a specific host have been initiated. ....This is a catchall signature which will fire if the specific type of TCP Port Sweep cannot be determined."

My question is this - if all of the other TCP Port Sweep Signatures are disabled, would they then qualify to be caught in signature 3001, or would the type be determined and not notified on due to them being disabled. I assume that when a signature is disabled, the logic for the signature also becomes disabled, which would make it undetermined and thus caught by Sig3001. I was hoping someone has run into this situation before and could provide me some feedback.

The theory behind this is that in my environment I don't necessarily care what type of port sweep was initiated, only that there was.

Thanks in advance,

Al McGale

Reply to
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.