Cisco Support Community
Community Member

IDS Filtering Nachi Alarms


We just deployed IDS-sig-3.1-4-S58.bin on our sensor and everything works ok.. too well I will say. We are getting flooded with Nachi Alarms, approx 10k a day. Is there a way to filter the alarms so we do not get reported on them as much or at all? We currently have CSPM 2.3.3i. There is a filtering tab in CSPM under the sensor policy, but modifying or excluding the signature 2156 has not changed the amount of notifications we receive.

Thank you!

Community Member

Re: IDS Filtering Nachi Alarms

You have a couple options available to you. If you go into signature configuration, you can configure how the signature is reported - by altering the alarmthrottle. The alarmthrottle limits the number of alarms sent to the IDS management device.

You have available under AlarmThrottle:

FireAll - Send all alarms when the signature conditions are met.

FireOnce - Send the first alarm when the conditions are met. Then, do not send any more alarms from the same SOURCE and DESTINATION address COMBINATION.

Summarize - Send only one alarm per "throttleinterval" per address combination"

GlobalSummarize - Similar to summarize parameter but expands to all address combinations instead of one. For example, once an alarm is sent the sensor counts the subsequent alarms per the throttleinterval for all address combinations being monitored. This will reduce the number of alarms triggered during flood attacks.

hope this helps

CreatePlease to create content