Apr 25th, 2009

I try to use summarization for sweep-engine signatures. I use for my test signature 2100 "ICMP Network Sweep w/ECHO". I set unique parameter to 10 and Summary mode to "Fire All" with Summary Threshold set to 3. After that I made simple nmap ping-scan of network with 256 nodes.

I received 4 alerts with 10 addresses of scanned nodes and no summary alert at all.

I tried several parameters with no success at all. Every time I got several alerts with no summary.

Can anybody explain such behavior of the engine?

P.S. I use version 6.2(1)E3 of IPS software.

marcabal Sun, 04/26/2009 - 20:53

What was your Summary Interval set to?

Did all 4 alerts happen within the Summary Interval? If not, then they did not happen fast enough to kick in the auto summarization. It is not just the number of alerts, but the number of alerts within a specific time.

My best guess is that the alerts were spread over a minute or 2 instead of the 30 seconds that is the default Summary Interval.

Trying to force the automatic summarization for the sweep engines can often be very tricky. It is not always easy to tell how many alerts you should see from a sweep. A sweep is really just a single attack. If it lasts long enough you might get some additional alerts firing, but it is still really just the same attack. There are some internal timers within the sensor that control how often additional alerts will be produced for that same sweep. And users do not have control over those timers.

NOTE: Other engines are easier to test for Summarization. This is because you are not relying on internal timers in the sensor. In the atomic engine if you send 10 packetsvery fast, then you know 10 alerts will be internally generated, and can much easier calculate and determine how those 10 alerts should be treated by the automatic summarization.

If you really want to set the Threshold so low, you are probably better off avoiding the "automatic" upgrade to summarization. Instead just simply set it to Summarization mode to begin with, and have it always be summarized.

Maxim Zimovets Mon, 04/27/2009 - 22:45

Thank, you for your comments. My thoughts were almost the same - it's very difficult to catch real sweep's end.

My test was done as followed:

Unique was set to 5, Threshold to start summarization to 3 with 30 seconds of Summary interval.

After that I started to scan with nmap /24 network. Scan duration was about 3,5 seconds. I repeated scan several times.

With interval about 10 seconds I got 3 to 4 alerts with TARGETS set to scanned hosts. And no Summary at all.

Setting Summary mode to Summarize gave no Summary alert too.

May be I want something impossible?

Of course with other engines (which have real state - start and end) summarization works as expected. There is no problem.

