• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3776
  • Last Modified:

ASA 5510 w/ IPS TCP SYN Host Sweep (Newbie)

I'm new so hang on.
We have a Cisco ASA 5510 with a IPS senor and we look pretty good but I am getting the following informational events across the network.
Any information about what is going on would be great. As far as I can tell the PCs are scanning for some reason.

Thanks
Paul

informational      11/03/2008      14:21:14      ASA      TCP SYN Host Sweep      3030/0      10.124.x.x      65.55.197.248                  31      31

Event ID      1225729791310581506
Severity      informational
Host ID      X-IPS
Application Name      sensorApp
Event Time      11/03/2008 13:35:30
Sensor Local Time      10/03/2008 13:35:30
Signature ID      3030
Signature Sub-ID      0
Signature Name      TCP SYN Host Sweep
Signature Version      S2
Signature Details      
Interface Group      vs0
VLAN ID      0
Interface      GigabitEthernet0/1
Attacker IP      10.124.x.x
Protocol      tcp
Attacker Port      3936
Attacker Locality      OUT
Target IP      65.55.12.249
Target Port      
Target Locality      OUT
Target OS      unknown unknown (relevant)
Actions      
Risk Rating      TVR=medium ARR=relevant
Risk Rating Value      31
Threat Rating      31
Context Data      
Packet Data      
Event Summary      0
Initial Alert      
Summary Type      
Final Alert      
Event Status      New
Event Notes      
      
0
PaulDub
Asked:
PaulDub
  • 3
  • 2
1 Solution
 
kyleb84Commented:
Ignore it, it's just the PCs looking for Windows updates / genuine licensing.

65.55.12.249 is Microsoft, try it: http://65.55.12.249/

0
 
PaulDubAuthor Commented:
Sorry I should have used another message that wasn't Microsoft. Here is a group of them from one PC. I did whois a few of them yahoo, facebook and I get a lot of Level 3 communications. I'm just wondering why. Thanks for your reply.

informational      11/04/2008      10:30:10      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            63.135.80.48                  31      31
informational      11/04/2008      10:24:47      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            64.4.52.189                  31      31
informational      11/04/2008      10:28:31      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            64.86.183.80                  31      31
informational      11/04/2008      10:19:50      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            64.152.208.68                  31      31
informational      11/04/2008      09:42:55      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            65.54.195.188                  31      31
informational      11/04/2008      10:26:55      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            66.114.53.13                  31      31
informational      11/04/2008      10:28:50      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            74.125.19.167                  31      31
informational      11/04/2008      10:31:05      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            74.125.95.127                  31      31
informational      11/04/2008      10:27:29      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            75.126.132.37                  31      31
informational      11/04/2008      10:29:20      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            192.147.161.210                  31      31
informational      11/04/2008      10:26:32      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            205.177.95.71                  31      31
informational      11/04/2008      10:26:18      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            205.177.95.103                  31      31
informational      11/04/2008      10:00:24      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            208.111.168.7                  31      31
informational      11/04/2008      09:49:48      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            209.191.92.114                  31      31
informational      11/04/2008      09:51:54      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            209.191.92.114                  31      31
informational      11/04/2008      10:29:48      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            216.178.38.222                  31      31
informational      11/04/2008      10:30:48      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            216.178.39.217                  31      31

Paul
0
 
PaulDubAuthor Commented:
More points added.
0
 
kyleb84Commented:
"Signature 3030 fires when 15 or more unique TCP SYN packets are detected from a single source IP address to a number of different destination IP
addresses"

- A user goes to visit Facebook, a SYN packet is sent.
- There are say 8 different images/content servers for facebook, each supplying different parts of the web page.
- There are 10 different AD servers that facebook integrates into it's web page as well.

- Each of these servers required the PC to initiate a TCP connection (HTTP)
- The first packet sent of every TCP connection is a SYN packet.

20 SYN packets are detected to different servers in less than say 5 seconds, which would give you that alert.

This would be very common for LARGE web sites like myspace and facebook, microsoft - all of which would have many different servers collectively holding content for every web page.

There is nothing sinister about these "alerts" you've listed.

In a real security event, the method is called "TCP SYN flooding" and is a DoS attack designed to consume all resources of a single host. Windows XP and many other network ready devices made > 2004 are not susceptible to these kind of attacks anymore.

In fact it's kind of pointless and could be turned off - leaving your alerts for more important - and perhaps actual security alerts.

0
 
PaulDubAuthor Commented:
Well explained... Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now