Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Signature 1315 - ACK w/o TCP Stream - why alerting?

We upgraded one of our sensors to 6.0(1)E1 and now we are seeing extremely high alerts on this particular signature. The signature is NOT set to alert. Any ideas on what we can do to stop the alert other than filter something that should not need filtering?

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Signature 1315 - ACK w/o TCP Stream - why alerting?

Its actually one of the more common oversights....

4 REPLIES
Cisco Employee

Re: Signature 1315 - ACK w/o TCP Stream - why alerting?

Do you have an event action override installed on the system to generate an alert for a risk rating (RR) greater than some value? If so, then even signatures that are set to "no action" will get the override applied if their resultant RR satifies the override criteria.

If this is the case, then you have several options...you can adjust the override to raise the minimum RR value that triggers the override, or, you can tune the signature to lower its effect RR. The later can be accomplished by lowering either its Severity level (info, low, medium, high etc) or lowering its Fidelity value.

The signature helps address some covert channels used by some exploit software.

New Member

Re: Signature 1315 - ACK w/o TCP Stream - why alerting?

You are correct...there was an event action override to alert 0-100.

I thought this was removed by the other analyst and was thrown by the new alerts coming in from 6.0 but not triggered in 5(4).

Thanks....feeling sheepish now.

Cisco Employee

Re: Signature 1315 - ACK w/o TCP Stream - why alerting?

Its actually one of the more common oversights....

Cisco Employee

Re: Signature 1315 - ACK w/o TCP Stream - why alerting?

Is it possible that you have an override to add an alert action?

147
Views
4
Helpful
4
Replies
CreatePlease login to create content