I'm battling with one problem - I need to detect and (attention) to produce an alert (say, an e-mail alert) after the detection of a DDoS attack - let's take TCP Syn Flood on a particular IP.
What I have: MARS and ASA/AIP-SSM which is controlled via Cisco Security Manager.
As far as I know, AIP-SSM does not support Normalizer signature (3050 for TCP SYN) so it will never fire an alert for this (but this could definitely solve my problem) And ASA has basic threat-detection capabilities and it produces an ASA-4-733100 syslog event after detecting a threat.
But as far as I know I can't a) configure more sophisticated parameters of the ASA's threat-detection on CSM as it doesn't support this in it's interface (at least 3.3.1 version) b) MARS (6.0.4 in my case) also doesn't know anything about this feature (am I right?)
So I can either a) use a Flex-config on CSM to tune the threat-detection feature and write custom parser on MARS b) write custom rule on MARS to catch all the "Built TCP-connection" and "Teardown TCP .... with SYN" messages and to produce alert after hitting a threshold
But may be there is a more straightforward way to do this? Who can advise?