Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Flood signatures

Hello all!

I try to set up Net flood signatures. I enabled following signatures - 6902/0, 6903/0, 6910/0 and 6920/0:

signatures 6903 0

status

enabled true

exit

exit

signatures 6910 0

status

enabled true

exit

exit

signatures 6920 0

status

enabled true

exit

exit

All of mentioned signatures have “Event Count key” and “Summary key” set as “Attacker and victim address”.

But in event store I got events without any mentioning about parties taking part in my simple attack (with nmap help):

evIdsAlert: eventId=1238425548375713811 vendor=Cisco severity=informational

originator:

hostId: ips4255

appName: sensorApp

appInstanceId: 405

time: may 10, 2009 19:22:50 UTC offset=360 timeZone=GMT+06:00

signature: description=Net Flood ICMP Any id=6903 version=S4 type=other created=20010725

subsigId: 0

marsCategory: DoS/Network/ICMP

interfaceGroup: vs0

vlan: 0

participants:

alertDetails: MaxPPS during this interval: 4 ;

I see an attack, but I can't see neither an attacker, nor victim.

I tested those signatures on ids-4215 and ips-4255 with software version 6.0(5)E3 and 6.2(1)E3 in promiscuous mode. Results were the same.

Can anybody explain - why is participants field free? How can it be filled with real information?

With hope to see solution

Maxim

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Flood signatures

The Flood Net Engine is coded to look at the entire network (all traffic being monitored by the Virtual Sensor). The Flood Net signatures can not be configured to track individual addresses because the engine just wasn't built to do that. The engine doesn't track addresses at all it just tracks packet counts/rates for the specific protocols.

You could try using the Flood Host Engine signatures, but even then I am not sure if it will work exactly the way you hope. Most of the Flood signatures have been hard coded to look for specific types of traffic, and there is little that a user can tune on the signatures to change their behaviour.

2 REPLIES
Cisco Employee

Re: Flood signatures

The Flood Net Engine is coded to look at the entire network (all traffic being monitored by the Virtual Sensor). The Flood Net signatures can not be configured to track individual addresses because the engine just wasn't built to do that. The engine doesn't track addresses at all it just tracks packet counts/rates for the specific protocols.

You could try using the Flood Host Engine signatures, but even then I am not sure if it will work exactly the way you hope. Most of the Flood signatures have been hard coded to look for specific types of traffic, and there is little that a user can tune on the signatures to change their behaviour.

New Member

Re: Flood signatures

Hi MARCOA!

Thank you for your complete reply. My initial thoughts were the same. And you gave me real ground for it.

Thank you again.

Maxim

211
Views
0
Helpful
2
Replies
CreatePlease login to create content