I try to use summarization for sweep-engine signatures. I use for my test signature 2100 "ICMP Network Sweep w/ECHO". I set unique parameter to 10 and Summary mode to "Fire All" with Summary Threshold set to 3. After that I made simple nmap ping-scan of network with 256 nodes.
I received 4 alerts with 10 addresses of scanned nodes and no summary alert at all.
I tried several parameters with no success at all. Every time I got several alerts with no summary.
Did all 4 alerts happen within the Summary Interval? If not, then they did not happen fast enough to kick in the auto summarization. It is not just the number of alerts, but the number of alerts within a specific time.
My best guess is that the alerts were spread over a minute or 2 instead of the 30 seconds that is the default Summary Interval.
Trying to force the automatic summarization for the sweep engines can often be very tricky. It is not always easy to tell how many alerts you should see from a sweep. A sweep is really just a single attack. If it lasts long enough you might get some additional alerts firing, but it is still really just the same attack. There are some internal timers within the sensor that control how often additional alerts will be produced for that same sweep. And users do not have control over those timers.
NOTE: Other engines are easier to test for Summarization. This is because you are not relying on internal timers in the sensor. In the atomic engine if you send 10 packetsvery fast, then you know 10 alerts will be internally generated, and can much easier calculate and determine how those 10 alerts should be treated by the automatic summarization.
If you really want to set the Threshold so low, you are probably better off avoiding the "automatic" upgrade to summarization. Instead just simply set it to Summarization mode to begin with, and have it always be summarized.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...