I'm battling with one problem - I need to detect and (attention) to produce an alert (say, an e-mail alert) after the detection of a DDoS attack - let's take TCP Syn Flood on a particular IP.
What I have: MARS and ASA/AIP-SSM which is controlled via Cisco Security Manager.
As far as I know, AIP-SSM does not support Normalizer signature (3050 for TCP SYN) so it will never fire an alert for this (but this could definitely solve my problem) And ASA has basic threat-detection capabilities and it produces an ASA-4-733100 syslog event after detecting a threat.
But as far as I know I can't a) configure more sophisticated parameters of the ASA's threat-detection on CSM as it doesn't support this in it's interface (at least 3.3.1 version) b) MARS (6.0.4 in my case) also doesn't know anything about this feature (am I right?)
So I can either a) use a Flex-config on CSM to tune the threat-detection feature and write custom parser on MARS b) write custom rule on MARS to catch all the "Built TCP-connection" and "Teardown TCP .... with SYN" messages and to produce alert after hitting a threshold
But may be there is a more straightforward way to do this? Who can advise?
Yes, I've tried to use this but may be I've tuned it the wrong way - I am sure it will detec host/ports scans/sweeps but can it discover SYN or FIN floods (I mean, a lot of connections to one host with the same TCP-flag, for eg? I didn't find anything near that.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...