03-13-2007 11:30 AM - edited 03-10-2019 03:30 AM
Well, we are using IDS 4235 off line with mirrored ports and executing acl on external router..
I want to build a custom signature which will reset the tcp syn sessions if more than 10 or 12 from a single IP...
can someone comment how it's gonna be with Cisco IDS 4235
03-13-2007 11:36 AM
If your IDS is running 5.1, following link would be helpful in creating custom signatures:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmsigwiz.htm
As you are only talking about a single packet of TCP SYN, you nee to create a signature using Atomic signature engine parameters.
Hope that helps.
Regards,
Vibhor.
03-13-2007 12:50 PM
thx for ur reply..
Well, My question is very simple, I want to trigger (reset) tcp syn packet if number of concurrent syns are more than 10 or exceeding this limit from one host (IP)...
My problem is don't know where can I define number of concurrent sessions while creating signature even atomic signature..would you please point out this?
03-14-2007 05:44 AM
Use the "event counter" settings to determine how many of the matching events must occur before an action is taken. Have a look at sig 6009-0 for an example of how this is done.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: