I know that this has been talked about many timres, but wanted to ask a couple of points.
Question 1. On the WCS, on some days we are receiving up to 70+ critical alarms for signature attacks. These are all Deauth, Auth Flood attacks. (There are a couple of Assoc floods).
Pls see similar post on open forum
Now, in the signature file we have the following profiles set. (Pls note Deauth flood and Assoc Flood, BUT NO AUTH FLOOD)
Name = "Deauth flood", Ver = 0, Preced= 8, FrmType = mgmt, Pattern = 0:0:0x00C0:0x00FF, Freq=50, Quiet = 600, Action = report, Desc="Deauthentication flood", Track=signature_n_mac, MacFreq=30
Name = "Assoc flood", Ver = 0, Preced= 4, FrmType = mgmt, Pattern = 0:0:0x0000:0x00FF, Freq=50, Quiet = 600, Action = report, Desc="Association Request flood", Track=signature_n_mac, MacFreq=30
Can you guys or Cisco TAC advise us on if we need to change these values and are there any rules? and where is the signature pattern for an "Auth flood"? Dont see it in the file?
Question 2. The WCS only appears to report these critical signature alarms (and other alarms) for the last 7 days. I have tried to read through the WCS documentation and cannot find what happens to the alarms after 7 days and if this 7 day period is configurable?
Once again, Many thx guys for all the help,
Ken ( all IDS'd out )