cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
494
Views
0
Helpful
2
Replies

Flood signatures

Maxim Zimovets
Level 1
Level 1

Hello all!

I try to set up Net flood signatures. I enabled following signatures - 6902/0, 6903/0, 6910/0 and 6920/0:

signatures 6903 0

status

enabled true

exit

exit

signatures 6910 0

status

enabled true

exit

exit

signatures 6920 0

status

enabled true

exit

exit

All of mentioned signatures have “Event Count key” and “Summary key” set as “Attacker and victim address”.

But in event store I got events without any mentioning about parties taking part in my simple attack (with nmap help):

evIdsAlert: eventId=1238425548375713811 vendor=Cisco severity=informational

originator:

hostId: ips4255

appName: sensorApp

appInstanceId: 405

time: may 10, 2009 19:22:50 UTC offset=360 timeZone=GMT+06:00

signature: description=Net Flood ICMP Any id=6903 version=S4 type=other created=20010725

subsigId: 0

marsCategory: DoS/Network/ICMP

interfaceGroup: vs0

vlan: 0

participants:

alertDetails: MaxPPS during this interval: 4 ;

I see an attack, but I can't see neither an attacker, nor victim.

I tested those signatures on ids-4215 and ips-4255 with software version 6.0(5)E3 and 6.2(1)E3 in promiscuous mode. Results were the same.

Can anybody explain - why is participants field free? How can it be filled with real information?

With hope to see solution

Maxim

1 Accepted Solution

Accepted Solutions

marcabal
Cisco Employee
Cisco Employee

The Flood Net Engine is coded to look at the entire network (all traffic being monitored by the Virtual Sensor). The Flood Net signatures can not be configured to track individual addresses because the engine just wasn't built to do that. The engine doesn't track addresses at all it just tracks packet counts/rates for the specific protocols.

You could try using the Flood Host Engine signatures, but even then I am not sure if it will work exactly the way you hope. Most of the Flood signatures have been hard coded to look for specific types of traffic, and there is little that a user can tune on the signatures to change their behaviour.

View solution in original post

2 Replies 2

marcabal
Cisco Employee
Cisco Employee

The Flood Net Engine is coded to look at the entire network (all traffic being monitored by the Virtual Sensor). The Flood Net signatures can not be configured to track individual addresses because the engine just wasn't built to do that. The engine doesn't track addresses at all it just tracks packet counts/rates for the specific protocols.

You could try using the Flood Host Engine signatures, but even then I am not sure if it will work exactly the way you hope. Most of the Flood signatures have been hard coded to look for specific types of traffic, and there is little that a user can tune on the signatures to change their behaviour.

Hi MARCOA!

Thank you for your complete reply. My initial thoughts were the same. And you gave me real ground for it.

Thank you again.

Maxim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: