05-10-2009 11:47 AM - edited 03-10-2019 04:37 AM
Hello all!
I try to set up Net flood signatures. I enabled following signatures - 6902/0, 6903/0, 6910/0 and 6920/0:
signatures 6903 0
status
enabled true
exit
exit
signatures 6910 0
status
enabled true
exit
exit
signatures 6920 0
status
enabled true
exit
exit
All of mentioned signatures have âEvent Count keyâ and âSummary keyâ set as âAttacker and victim addressâ.
But in event store I got events without any mentioning about parties taking part in my simple attack (with nmap help):
evIdsAlert: eventId=1238425548375713811 vendor=Cisco severity=informational
originator:
hostId: ips4255
appName: sensorApp
appInstanceId: 405
time: may 10, 2009 19:22:50 UTC offset=360 timeZone=GMT+06:00
signature: description=Net Flood ICMP Any id=6903 version=S4 type=other created=20010725
subsigId: 0
marsCategory: DoS/Network/ICMP
interfaceGroup: vs0
vlan: 0
participants:
alertDetails: MaxPPS during this interval: 4 ;
I see an attack, but I can't see neither an attacker, nor victim.
I tested those signatures on ids-4215 and ips-4255 with software version 6.0(5)E3 and 6.2(1)E3 in promiscuous mode. Results were the same.
Can anybody explain - why is participants field free? How can it be filled with real information?
With hope to see solution
Maxim
Solved! Go to Solution.
05-11-2009 05:26 AM
The Flood Net Engine is coded to look at the entire network (all traffic being monitored by the Virtual Sensor). The Flood Net signatures can not be configured to track individual addresses because the engine just wasn't built to do that. The engine doesn't track addresses at all it just tracks packet counts/rates for the specific protocols.
You could try using the Flood Host Engine signatures, but even then I am not sure if it will work exactly the way you hope. Most of the Flood signatures have been hard coded to look for specific types of traffic, and there is little that a user can tune on the signatures to change their behaviour.
05-11-2009 05:26 AM
The Flood Net Engine is coded to look at the entire network (all traffic being monitored by the Virtual Sensor). The Flood Net signatures can not be configured to track individual addresses because the engine just wasn't built to do that. The engine doesn't track addresses at all it just tracks packet counts/rates for the specific protocols.
You could try using the Flood Host Engine signatures, but even then I am not sure if it will work exactly the way you hope. Most of the Flood signatures have been hard coded to look for specific types of traffic, and there is little that a user can tune on the signatures to change their behaviour.
05-11-2009 08:34 AM
Hi MARCOA!
Thank you for your complete reply. My initial thoughts were the same. And you gave me real ground for it.
Thank you again.
Maxim
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: