11-09-2001 10:29 AM - edited 03-08-2019 09:07 PM
Have setup a pair of Director 2.2.3 and IDSM 3.0(1)S4.
I using some programs to do ¡¥Sync Flood¡¦ and ¡¥port scanning¡¦, but only the ¡¥port scanning¡¦ is reported by the system¡K¡K. How can I lets the IDSM determines the ¡¥Sync Flood¡¦ attack ?
11-14-2001 05:26 PM
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Thank you for posting.
11-15-2001 07:35 AM
Syn floods are rate based (X per sample period)and the rates are tuneable. You need to make sure that you are sending sufficient numbers over the sampling period to trigger the alarm.
11-18-2001 07:03 PM
Thanks,
Could you please tell me the magic number to trigger the alarm? Is it configurable ?
11-19-2001 09:03 AM
Look through the signatures file and/or the NSDB (Network Security DataBase on the Unix Director or CSPM), and determine which signatures you expect to fire.
Run SigWizMenu and select the option to tune a particular signature.
Then enter the signature you want to change (or look at the default settings for).
For information on running SigWizMenu refer to:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids6/12216_02.htm#xtocid1115818
and
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids6/13346_01.htm
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: