I try to set up Net flood signatures. I enabled following signatures - 6902/0, 6903/0, 6910/0 and 6920/0:
signatures 6903 0
signatures 6910 0
signatures 6920 0
All of mentioned signatures have âEvent Count keyâ and âSummary keyâ set as âAttacker and victim addressâ.
But in event store I got events without any mentioning about parties taking part in my simple attack (with nmap help):
evIdsAlert: eventId=1238425548375713811 vendor=Cisco severity=informational
time: may 10, 2009 19:22:50 UTC offset=360 timeZone=GMT+06:00
signature: description=Net Flood ICMP Any id=6903 version=S4 type=other created=20010725
alertDetails: MaxPPS during this interval: 4 ;
I see an attack, but I can't see neither an attacker, nor victim.
I tested those signatures on ids-4215 and ips-4255 with software version 6.0(5)E3 and 6.2(1)E3 in promiscuous mode. Results were the same.
Can anybody explain - why is participants field free? How can it be filled with real information?
With hope to see solution
The Flood Net Engine is coded to look at the entire network (all traffic being monitored by the Virtual Sensor). The Flood Net signatures can not be configured to track individual addresses because the engine just wasn't built to do that. The engine doesn't track addresses at all it just tracks packet counts/rates for the specific protocols.
You could try using the Flood Host Engine signatures, but even then I am not sure if it will work exactly the way you hope. Most of the Flood signatures have been hard coded to look for specific types of traffic, and there is little that a user can tune on the signatures to change their behaviour.