Have setup a pair of Director 2.2.3 and IDSM 3.0(1)S4.
I using some programs to do ¡¥Sync Flood¡¦ and ¡¥port scanning¡¦, but only the ¡¥port scanning¡¦ is reported by the system¡K¡K. How can I lets the IDSM determines the ¡¥Sync Flood¡¦ attack ?
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Syn floods are rate based (X per sample period)and the rates are tuneable. You need to make sure that you are sending sufficient numbers over the sampling period to trigger the alarm.
Look through the signatures file and/or the NSDB (Network Security DataBase on the Unix Director or CSPM), and determine which signatures you expect to fire.
Run SigWizMenu and select the option to tune a particular signature.
Then enter the signature you want to change (or look at the default settings for).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
