Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS signature tuning... interval questions.

Just starting out trying to tune some signatures to fit our environment, and looking for clarification on some parameters of IDS signatures.

For example: 2152 - ICMP flood

It uses the "Flood Host" engine with the action parameters:

Limit type: percentage (100)

Rate: 25

Event count: 1

Event count key: victim address

Specify interval: No

Summary mode: Fire all

Threshold: 10000

Interval: 30

Global threshold: 20000

Summary key: victim address

Can someone translate into english?

I'm guessing 25 packets/sec of ICMP traffic to the same destination would trigger the "event". And the 100% limit means...? 25 in a row?

And the summaries?

At least the "flood host" has a clear interval, but many of the scans do not. For example, 3002 or 3030 - TCP SYN port sweep. This specifies a number of "unique" packets with the same key (attacker address, or attacker and victim, or other combination) but does not specify the interval. Is this also per-second? The documentation simply says "The unique parameter triggers the alert when more than the unique number of ports or hosts is seen on the address set within the time period."

What is the "time period" and where is it set? For these alerts (as well as the previous) the "Specify Alert Interval" is set to "No".


Re: IDS signature tuning... interval questions.

You only need to change the signature action, not all of the signatures are blocking by default, you need to enable them at the sensor. You can do this by IDM.

New Member

Re: IDS signature tuning... interval questions.

I know how to tweak the actions and enable/disable them. I'm trying to "tune" them. The portscan events seem to misfire on even moderate web surfing with lots of imbedded URLs, and/or over a time interval. I would like to tweak the number of SYNs (which is pretty obvious by the 'unique' parameter) and the time interval in which they occur (the documentation doesn't give a clue -- it just says "within the interval" without telling you what the interval is).


Re: IDS signature tuning... interval questions.

I can't claim to understand some of the "scan" signatures either...most of ours are disabled.

The limit type and percentage would only seem applicable if you're using the "request rate limit" action in inline mode. I don't think they have anything to do with alarming.

For this particular signature I believe the most relevant variable is rate, which you already seem to understand.

The alert frequency settings allow you change the summary mode from "fire all" to "summarize" or "global summarize" based on the number of alerts being generated. This probably has other uses, but the one that immediately comes to mind is to prevent the monitoring system from being overloaded with spurious alarms.

As far as 3030 - TCP SYN port sweep...I don't understand it either. Do a search for it on the forums, there have been other questions.