Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IDS Net Flood ICMP signatures

When I installed 3.1-3-S31 signature update, IDS started to detect hundreds of Net Flood ICMP signatures (6901, 6902, 6903) with source and destination address of 0.0.0.0 . Before that (with old signature updates) there hadn't beed reported any event like that - all events were with legitimite IP addresses.

Could that be bug??

1 REPLY
Bronze

Re: IDS Net Flood ICMP signatures

The 0.0.0.0 source/destination address of the 690x alarms is the correct behavior. Since theses alarms report on the amount of ICMP traffic vs. other traffic seen by the sensor, there aren't specific addresses to be reported. So, the 0.0.0.0 is filled in as a place holder. These alarms are disabled by default and need to be tuned by placing the sensor in diagnostic mode before they can be reliably used. Perhaps the signatures were turned on inadvertantly during a sensor configuration session. Please see the NSDB entries for these signatures to learn more about properly configuring the thresholds using the diagnostic mode.

156
Views
0
Helpful
1
Replies
CreatePlease to create content