I typically leave the sub sig to the default (0-255).
the source will be your DMZ network (192.168.168.0-192.168.168.255)
The destination will probably be the default (0.0.0.0-255.255.255.255)
The next key change will be the actions to subtract. You will want to subtract produce alert (the default action for 3030). Most of the time I subtract all actions. That way if I change a signature later I won't have a unexpected result. For example say you start blocking attackers that do a TCP SYN sweep (3030). If you only subtract product alerts, then you might start blocking you DMZ hosts and but not produce any alerts.
Lastly, you may want to tune sig 3030. 15 unique SYN packets in 60 seconds is pretty low. I have a sensor set to 30 in 5 seconds.
thanks, so I went into Event Action Rules, rules0, created a new EVENT ACTION FILTER and followed your instructions to filter out SIGID 3030 when triggered by IP 192.168.168.0/24 (see attached picture)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...