Looking to shed some light into the behavior of the Flood Engine.
According to Cisco documentation:
The Flood engine defines signatures that watch for any host or network sending multiple packets to a single host or network. For example, you can create a signature that fires when 150 or more packets per second (of the specific type) are found going to the victim host.
As an example, lets examine the default parameters of sig 4002 UDP Host Flood.
Engine: Flood Host
Event Count: 1
Event Count Key: Attacker Address
Specify Alert Interval: No
Is it correct to say that an alert is generated if the sensor sees that source A has exceeded 100 UDP packets per second? 100+ pps could have been to 1 host, or a bunch of hosts, as long as the total packet count from source A is greater then 100. The alert however, will show the victim address and port of the triggering packet (the 101st packet in that second). Am I correct so far?
My first problem, is the NSDB signature description says "This triggers when a large number of UDP packets are directed at a host." To me, for this to happen, the Event Count Key should be set to Victim Address.
My other problem, is that no matter what tuning I try on various Flood Engine signatures, alerts are generated that are not in line with what the parameters specify.
For example, lets retune sig 4002 so that it alerts on distinct host pairs (1 to 1 relationship). So we change Event Count Key to Attacker and Victim Addresses. Now if source A sends out 101 pps to multiple hosts, I should expect to see no alerts. The only time I expect to see alerts, is if source A sent 101 pps to dest B, and another alert if source A sent 101 pps to dest C, etc. But, after extensive testing, it doesn't work that way.
There's a little catch to the flood-host engine, and that's that there is an underlying storage key of xxBx in the engine itself, so the engine is doing some summarization.. which is going to lead to odd results if you try to use the summary key in the signature itself. Back in 4.x, this was a by design thing in the flood engines and from my digging yesterday, I believe that its carried thru into 5.x as well even though the multiple flood engines were consolidated.
Summary on the attacker Axxx works just fine, but not on the victim xxBx.
I'll update this thread once I get together with the engine developer and hash this out, but I'm pretty sure that this is by design.
Take a look at signature 4003, this was firing for me while I was fooling with 4002. Or even making a custom sig using the atomic-ip engine to identify a host to host flood using a count over an interval.
I'll update this when we hash out the details about summarization.
Thank you for looking into the matter. IMHO, event summarization for flood signatures is more desirable then outright filters. And as indicated in other sig tuning threads, filters are not a good option if event summarization is happening.
Perhaps like you mention, it may make more sense to re-implement some flood signatures using the atomic-ip engine.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :