Trying to get some clarification on Cisco IDS/IPS Signatures for TCP Port Sweeps.
Signature 3001 "TCP Port Sweep" reads as follows:
"Triggers when a series of TCP connections to a number of different privileged ports (having port number less than 1024) on a specific host have been initiated. ....This is a catchall signature which will fire if the specific type of TCP Port Sweep cannot be determined."
My question is this - if all of the other TCP Port Sweep Signatures are disabled, would they then qualify to be caught in signature 3001, or would the type be determined and not notified on due to them being disabled. I assume that when a signature is disabled, the logic for the signature also becomes disabled, which would make it undetermined and thus caught by Sig3001. I was hoping someone has run into this situation before and could provide me some feedback.
The theory behind this is that in my environment I don't necessarily care what type of port sweep was initiated, only that there was.
Thanks in advance,