IDS4235 Custom Signature

Unanswered Question
Mar 13th, 2007

Well, we are using IDS 4235 off line with mirrored ports and executing acl on external router..

I want to build a custom signature which will reset the tcp syn sessions if more than 10 or 12 from a single IP...

can someone comment how it's gonna be with Cisco IDS 4235

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jahilnt10 Tue, 03/13/2007 - 12:50

thx for ur reply..

Well, My question is very simple, I want to trigger (reset) tcp syn packet if number of concurrent syns are more than 10 or exceeding this limit from one host (IP)...

My problem is don't know where can I define number of concurrent sessions while creating signature even atomic signature..would you please point out this?

mhellman Wed, 03/14/2007 - 05:44

Use the "event counter" settings to determine how many of the matching events must occur before an action is taken. Have a look at sig 6009-0 for an example of how this is done.

Actions

This Discussion