Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
4
Helpful
4
Replies

Signature 1315 - ACK w/o TCP Stream - why alerting?

Go to solution
enelson
Level 1
Level 1

‎03-09-2007 08:34 AM - edited ‎03-10-2019 03:30 AM

We upgraded one of our sensors to 6.0(1)E1 and now we are seeing extremely high alerts on this particular signature. The signature is NOT set to alert. Any ideas on what we can do to stop the alert other than filter something that should not need filtering?

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scothrel
Level 3
Level 3
In response to enelson

‎03-09-2007 11:38 AM

Its actually one of the more common oversights....

View solution in original post

0 Helpful
4 Replies 4

Go to solution
scothrel
Level 3
Level 3

‎03-09-2007 11:15 AM

Do you have an event action override installed on the system to generate an alert for a risk rating (RR) greater than some value? If so, then even signatures that are set to "no action" will get the override applied if their resultant RR satifies the override criteria.

If this is the case, then you have several options...you can adjust the override to raise the minimum RR value that triggers the override, or, you can tune the signature to lower its effect RR. The later can be accomplished by lowering either its Severity level (info, low, medium, high etc) or lowering its Fidelity value.

The signature helps address some covert channels used by some exploit software.

Go to solution
enelson
Level 1
Level 1
In response to scothrel

‎03-09-2007 11:28 AM

You are correct...there was an event action override to alert 0-100.

I thought this was removed by the other analyst and was thrown by the new alerts coming in from 6.0 but not triggered in 5(4).

Thanks....feeling sheepish now.

0 Helpful

Go to solution
scothrel
Level 3
Level 3
In response to enelson

‎03-09-2007 11:38 AM

Its actually one of the more common oversights....

0 Helpful

Go to solution
klwiley
Cisco Employee
Cisco Employee

‎03-09-2007 11:25 AM

Is it possible that you have an override to add an alert action?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card