Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
3
Replies

IDS4235 Custom Signature

jahilnt10
Level 1
Level 1

‎03-13-2007 11:30 AM - edited ‎03-10-2019 03:30 AM

Well, we are using IDS 4235 off line with mirrored ports and executing acl on external router..

I want to build a custom signature which will reset the tcp syn sessions if more than 10 or 12 from a single IP...

can someone comment how it's gonna be with Cisco IDS 4235

Labels:
0 Helpful
3 Replies 3

vitripat
Level 7
Level 7

‎03-13-2007 11:36 AM

If your IDS is running 5.1, following link would be helpful in creating custom signatures:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmsigwiz.htm

As you are only talking about a single packet of TCP SYN, you nee to create a signature using Atomic signature engine parameters.

Hope that helps.

Regards,

Vibhor.

0 Helpful

jahilnt10
Level 1
Level 1
In response to vitripat

‎03-13-2007 12:50 PM

thx for ur reply..

Well, My question is very simple, I want to trigger (reset) tcp syn packet if number of concurrent syns are more than 10 or exceeding this limit from one host (IP)...

My problem is don't know where can I define number of concurrent sessions while creating signature even atomic signature..would you please point out this?

0 Helpful

mhellman
Level 7
Level 7
In response to jahilnt10

‎03-14-2007 05:44 AM

Use the "event counter" settings to determine how many of the matching events must occur before an action is taken. Have a look at sig 6009-0 for an example of how this is done.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card