05-31-2006 12:38 PM - edited 03-10-2019 03:02 AM
Just starting out trying to tune some signatures to fit our environment, and looking for clarification on some parameters of IDS signatures.
For example: 2152 - ICMP flood
It uses the "Flood Host" engine with the action parameters:
Limit type: percentage (100)
Rate: 25
Event count: 1
Event count key: victim address
Specify interval: No
Summary mode: Fire all
Threshold: 10000
Interval: 30
Global threshold: 20000
Summary key: victim address
Can someone translate into english?
I'm guessing 25 packets/sec of ICMP traffic to the same destination would trigger the "event". And the 100% limit means...? 25 in a row?
And the summaries?
At least the "flood host" has a clear interval, but many of the scans do not. For example, 3002 or 3030 - TCP SYN port sweep. This specifies a number of "unique" packets with the same key (attacker address, or attacker and victim, or other combination) but does not specify the interval. Is this also per-second? The documentation simply says "The unique parameter triggers the alert when more than the unique number of ports or hosts is seen on the address set within the time period."
What is the "time period" and where is it set? For these alerts (as well as the previous) the "Specify Alert Interval" is set to "No".
06-06-2006 12:28 PM
You only need to change the signature action, not all of the signatures are blocking by default, you need to enable them at the sensor. You can do this by IDM.
06-06-2006 02:27 PM
I know how to tweak the actions and enable/disable them. I'm trying to "tune" them. The portscan events seem to misfire on even moderate web surfing with lots of imbedded URLs, and/or over a time interval. I would like to tweak the number of SYNs (which is pretty obvious by the 'unique' parameter) and the time interval in which they occur (the documentation doesn't give a clue -- it just says "within the interval" without telling you what the interval is).
06-07-2006 05:31 AM
I can't claim to understand some of the "scan" signatures either...most of ours are disabled.
The limit type and percentage would only seem applicable if you're using the "request rate limit" action in inline mode. I don't think they have anything to do with alarming.
For this particular signature I believe the most relevant variable is rate, which you already seem to understand.
The alert frequency settings allow you change the summary mode from "fire all" to "summarize" or "global summarize" based on the number of alerts being generated. This probably has other uses, but the one that immediately comes to mind is to prevent the monitoring system from being overloaded with spurious alarms.
As far as 3030 - TCP SYN port sweep...I don't understand it either. Do a search for it on the forums, there have been other questions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide