Just starting out trying to tune some signatures to fit our environment, and looking for clarification on some parameters of IDS signatures.
For example: 2152 - ICMP flood
It uses the "Flood Host" engine with the action parameters:
Limit type: percentage (100)
Event count: 1
Event count key: victim address
Specify interval: No
Summary mode: Fire all
Global threshold: 20000
Summary key: victim address
Can someone translate into english?
I'm guessing 25 packets/sec of ICMP traffic to the same destination would trigger the "event". And the 100% limit means...? 25 in a row?
And the summaries?
At least the "flood host" has a clear interval, but many of the scans do not. For example, 3002 or 3030 - TCP SYN port sweep. This specifies a number of "unique" packets with the same key (attacker address, or attacker and victim, or other combination) but does not specify the interval. Is this also per-second? The documentation simply says "The unique parameter triggers the alert when more than the unique number of ports or hosts is seen on the address set within the time period."
What is the "time period" and where is it set? For these alerts (as well as the previous) the "Specify Alert Interval" is set to "No".
I know how to tweak the actions and enable/disable them. I'm trying to "tune" them. The portscan events seem to misfire on even moderate web surfing with lots of imbedded URLs, and/or over a time interval. I would like to tweak the number of SYNs (which is pretty obvious by the 'unique' parameter) and the time interval in which they occur (the documentation doesn't give a clue -- it just says "within the interval" without telling you what the interval is).
I can't claim to understand some of the "scan" signatures either...most of ours are disabled.
The limit type and percentage would only seem applicable if you're using the "request rate limit" action in inline mode. I don't think they have anything to do with alarming.
For this particular signature I believe the most relevant variable is rate, which you already seem to understand.
The alert frequency settings allow you change the summary mode from "fire all" to "summarize" or "global summarize" based on the number of alerts being generated. This probably has other uses, but the one that immediately comes to mind is to prevent the monitoring system from being overloaded with spurious alarms.
As far as 3030 - TCP SYN port sweep...I don't understand it either. Do a search for it on the forums, there have been other questions.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...