Signature 1315 - ACK w/o TCP Stream - why alerting?

Answered Question

We upgraded one of our sensors to 6.0(1)E1 and now we are seeing extremely high alerts on this particular signature. The signature is NOT set to alert. Any ideas on what we can do to stop the alert other than filter something that should not need filtering?


Correct Answer by scothrel about 10 years 3 months ago

Its actually one of the more common oversights....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
scothrel Fri, 03/09/2007 - 11:15
User Badges:
  • Cisco Employee,

Do you have an event action override installed on the system to generate an alert for a risk rating (RR) greater than some value? If so, then even signatures that are set to "no action" will get the override applied if their resultant RR satifies the override criteria.

If this is the case, then you have several can adjust the override to raise the minimum RR value that triggers the override, or, you can tune the signature to lower its effect RR. The later can be accomplished by lowering either its Severity level (info, low, medium, high etc) or lowering its Fidelity value.

The signature helps address some covert channels used by some exploit software.

Correct Answer
scothrel Fri, 03/09/2007 - 11:38
User Badges:
  • Cisco Employee,

Its actually one of the more common oversights....

klwiley Fri, 03/09/2007 - 11:25
User Badges:
  • Cisco Employee,

Is it possible that you have an override to add an alert action?


This Discussion