Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
0
Helpful
2
Replies

Couple of questions

giovanni
Level 1
Level 1

‎08-14-2001 08:06 AM - edited ‎03-08-2019 08:36 PM

Signatures precedence: assume I want to fire different sigs on CodeRed II (X..X) vs generic .ida overflows. I'd like to do this without having both fire when the more specific one is matched. Any idea?

Throttle interval: 1000 seconds maximum seems a bit short. I'd like to summarize CR alerts avery 6 hours or so. Is there a way to do this?

Thanks,

Giovanni

Labels:
0 Helpful
2 Replies 2

giovanni
Level 1
Level 1

‎08-14-2001 08:37 AM

Shortly later...

I tried to summarize the CodeRed hits, so I changed AlarmThrottle to GlobalSummarize and ThrottleInterval to 1000. Seeing as this wouldn't work I also set ResetAfterIdle to 1000.

See my settings below from SigUser.conf:

Engine STRING.HTTP SIGID 5126 AlarmThrottle GlobalSummarize DeObfuscate True MinHits 1 MinMatchLength 200 MultipleHits True ResetAft

erIdle 1000 SigStringInfo .ida?<200+ chars> ThrottleInterval 1000

I still get each single hit of this sig. What have I missed?

Giovanni

0 Helpful

pberiswill
Level 1
Level 1
In response to giovanni

‎08-14-2001 04:40 PM

I spent some time today looking over the Summarization feature set to see if there was a problem with it but have been unable to isolate a problem. Could you give me some more specific details concerning the problem you are having with GlobalSummarize mode on this sig? How are the changes being input? Is the sensor for sure getting re-started after the changes? What traffic is being used to test? Is the alarm summarizing at all? .....

Basically, what symptoms are being displayed?

0 Helpful
Customers Also Viewed These Support Documents