Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDS4235 Custom Signature

Well, we are using IDS 4235 off line with mirrored ports and executing acl on external router..

I want to build a custom signature which will reset the tcp syn sessions if more than 10 or 12 from a single IP...

can someone comment how it's gonna be with Cisco IDS 4235

3 REPLIES
Silver

Re: IDS4235 Custom Signature

If your IDS is running 5.1, following link would be helpful in creating custom signatures:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmsigwiz.htm

As you are only talking about a single packet of TCP SYN, you nee to create a signature using Atomic signature engine parameters.

Hope that helps.

Regards,

Vibhor.

New Member

Re: IDS4235 Custom Signature

thx for ur reply..

Well, My question is very simple, I want to trigger (reset) tcp syn packet if number of concurrent syns are more than 10 or exceeding this limit from one host (IP)...

My problem is don't know where can I define number of concurrent sessions while creating signature even atomic signature..would you please point out this?

Gold

Re: IDS4235 Custom Signature

Use the "event counter" settings to determine how many of the matching events must occur before an action is taken. Have a look at sig 6009-0 for an example of how this is done.

118
Views
0
Helpful
3
Replies