Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
493
Views
0
Helpful
3
Replies

IDS signature tuning... interval questions.

jkell
Level 1
Level 1

‎05-31-2006 12:38 PM - edited ‎03-10-2019 03:02 AM

Just starting out trying to tune some signatures to fit our environment, and looking for clarification on some parameters of IDS signatures.

For example: 2152 - ICMP flood

It uses the "Flood Host" engine with the action parameters:

Limit type: percentage (100)

Rate: 25

Event count: 1

Event count key: victim address

Specify interval: No

Summary mode: Fire all

Threshold: 10000

Interval: 30

Global threshold: 20000

Summary key: victim address

Can someone translate into english?

I'm guessing 25 packets/sec of ICMP traffic to the same destination would trigger the "event". And the 100% limit means...? 25 in a row?

And the summaries?

At least the "flood host" has a clear interval, but many of the scans do not. For example, 3002 or 3030 - TCP SYN port sweep. This specifies a number of "unique" packets with the same key (attacker address, or attacker and victim, or other combination) but does not specify the interval. Is this also per-second? The documentation simply says "The unique parameter triggers the alert when more than the unique number of ports or hosts is seen on the address set within the time period."

What is the "time period" and where is it set? For these alerts (as well as the previous) the "Specify Alert Interval" is set to "No".

Labels:
0 Helpful
3 Replies 3

carenas123
Level 5
Level 5

‎06-06-2006 12:28 PM

You only need to change the signature action, not all of the signatures are blocking by default, you need to enable them at the sensor. You can do this by IDM.

0 Helpful

jkell
Level 1
Level 1
In response to carenas123

‎06-06-2006 02:27 PM

I know how to tweak the actions and enable/disable them. I'm trying to "tune" them. The portscan events seem to misfire on even moderate web surfing with lots of imbedded URLs, and/or over a time interval. I would like to tweak the number of SYNs (which is pretty obvious by the 'unique' parameter) and the time interval in which they occur (the documentation doesn't give a clue -- it just says "within the interval" without telling you what the interval is).

0 Helpful

mhellman
Level 7
Level 7

‎06-07-2006 05:31 AM

I can't claim to understand some of the "scan" signatures either...most of ours are disabled.

The limit type and percentage would only seem applicable if you're using the "request rate limit" action in inline mode. I don't think they have anything to do with alarming.

For this particular signature I believe the most relevant variable is rate, which you already seem to understand.

The alert frequency settings allow you change the summary mode from "fire all" to "summarize" or "global summarize" based on the number of alerts being generated. This probably has other uses, but the one that immediately comes to mind is to prevent the monitoring system from being overloaded with spurious alarms.

As far as 3030 - TCP SYN port sweep...I don't understand it either. Do a search for it on the forums, there have been other questions.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card