Flood signatures

Answered Question
May 10th, 2009
User Badges:

Hello all!


I try to set up Net flood signatures. I enabled following signatures - 6902/0, 6903/0, 6910/0 and 6920/0:

signatures 6903 0

status

enabled true

exit

exit

signatures 6910 0

status

enabled true

exit

exit

signatures 6920 0

status

enabled true

exit

exit

All of mentioned signatures have “Event Count key” and “Summary key” set as “Attacker and victim address”.


But in event store I got events without any mentioning about parties taking part in my simple attack (with nmap help):

evIdsAlert: eventId=1238425548375713811 vendor=Cisco severity=informational

originator:

hostId: ips4255

appName: sensorApp

appInstanceId: 405

time: may 10, 2009 19:22:50 UTC offset=360 timeZone=GMT+06:00

signature: description=Net Flood ICMP Any id=6903 version=S4 type=other created=20010725

subsigId: 0

marsCategory: DoS/Network/ICMP

interfaceGroup: vs0

vlan: 0

participants:

alertDetails: MaxPPS during this interval: 4 ;


I see an attack, but I can't see neither an attacker, nor victim.


I tested those signatures on ids-4215 and ips-4255 with software version 6.0(5)E3 and 6.2(1)E3 in promiscuous mode. Results were the same.


Can anybody explain - why is participants field free? How can it be filled with real information?


With hope to see solution

Maxim

Correct Answer by marcabal about 8 years 1 month ago

The Flood Net Engine is coded to look at the entire network (all traffic being monitored by the Virtual Sensor). The Flood Net signatures can not be configured to track individual addresses because the engine just wasn't built to do that. The engine doesn't track addresses at all it just tracks packet counts/rates for the specific protocols.


You could try using the Flood Host Engine signatures, but even then I am not sure if it will work exactly the way you hope. Most of the Flood signatures have been hard coded to look for specific types of traffic, and there is little that a user can tune on the signatures to change their behaviour.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
marcabal Mon, 05/11/2009 - 05:26
User Badges:
  • Cisco Employee,

The Flood Net Engine is coded to look at the entire network (all traffic being monitored by the Virtual Sensor). The Flood Net signatures can not be configured to track individual addresses because the engine just wasn't built to do that. The engine doesn't track addresses at all it just tracks packet counts/rates for the specific protocols.


You could try using the Flood Host Engine signatures, but even then I am not sure if it will work exactly the way you hope. Most of the Flood signatures have been hard coded to look for specific types of traffic, and there is little that a user can tune on the signatures to change their behaviour.

Maxim Zimovets Mon, 05/11/2009 - 08:34
User Badges:

Hi MARCOA!


Thank you for your complete reply. My initial thoughts were the same. And you gave me real ground for it.


Thank you again.

Maxim

Actions

This Discussion