Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

3327 and 2100 tuning

How specifically do you tune 3327 and 3328 so that it fires only ONCE when it sees MSBLASTER activitt from a host.

As it stands now, it fires on every scan cycle and we are seeing 554 alarms per event and its constantly filling the Security Monitor event viewer with alarms!

I have walked through the Tuning parameters but cant quite figure out which parameter will give me only 1 alarm per cycle instead of 554!

We are also seeing the same effects from the 2100 alarms.

What parameter can I tune minimize the alarm volume?

thanks,

Mike

1 REPLY
Bronze

Re: 3327 and 2100 tuning

The answer depends on the sensor version you are using. For 4.x sensors, you can reduce the alarm volume quite well, but 3.x is more lilimted.

3327)

For 4.x, if you don't care about the destination addresses of the alarms, you can set 3327 to just tell you what hosts are infected. Set the SummaryKey parameter to "Axxx" to just track alarms on source addresses. Then, set the AlarmThrottle to "Summarize". By looking at the summary counts, you should easily be able to identify the infected hosts.

For 3.x, you adjust the AlarmThrottle parameter to "Summarize". This will reduce the number of alarms significantly, but not as much as you probably want.

2100)

For 3.x and 4.x, you can increase the Unique parameter to require more unique pings before the alarm is fired. Combined with adjusting the AlarmThrottle to "Summarize", this should greatly reduce the number of alarms.

112
Views
5
Helpful
1
Replies
CreatePlease to create content