Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nachi alarm summarization

I wanted to use global summarization on the Nachi alarm 2156. I tuned that in the signature and set the alarm throttle time to 60 seconds. That worked, in that I get the summaries every 60 seconds, but the counts being reported are through the roof - about 60 times higher than actual. Does the sensor not clear the count when starting a new summary period? Any help / explanations appreciated...

--James

6 REPLIES
New Member

Re: Nachi alarm summarization

To be more specific...I set the ThrottleInterval to 60 seconds and the AlarmThrottle to GlobalSummarize.

New Member

Re: Nachi alarm summarization

The signature is written in such a way that it would fire many times for one Nachi packet. This is why the AlarmThrottle was set as FireOnce. The FireOnce prevents the alarm from firing multiple times for each packet. When you set GlobalSummerize you count will include ~20-30 alarms for each packet.

New Member

Re: Nachi alarm summarization

That explains it...mostly. Does is want to fire mutliple times because the string being looked for in the packet is repeated multiple times? I asked because I have sniffed the traffic and we are really only getting 30-60 per minute. If it is a case of a repeated string, could we tune it to stop looking at a certain offset?

Thanks for the reply!

New Member

Re: Nachi alarm summarization

Found it - posting this for anyone who wants to do this. Nachi signature matches on a regex pattern of 48 bytes of 0xaa. The packets I am getting from the Internet have 64 bytes of that pattern. Therefore, I get 17 matches per packet: the first match at offset 48, then slide over one and match again, then again, and so on up to byte 64.

The default signature setting of "FireOnce" prevents from seeing multiple hits normally, but when using GlobalSummarize, you are counting all those 17 hits for every packet, so the summaries are huge.

To fix this, set the MaxInspectLength to 47 (not 48, because in hex we start counting at 00 and we want to match through byte 47). This will give you one hit per packet (even if you set the AlarmThrottle to FireAll) and allows the GlobalSummarize setting to count properly.

--James

New Member

Re: Nachi alarm summarization

Can this be done on IDSMv1?

Thanks,

Chris

New Member

Re: Nachi alarm summarization

I am afraid I do not know - I only learned about these tuning features using the IDS MC on VMS (when I had IDSMv1 blades I was using CSPM and I don't think I had the option). However, you should be able to create your own signature that works just like the canned one, and make it match on the entire 64 byte string instead of just 48 bytes. Then you could turn off the canned one.

--James

103
Views
0
Helpful
6
Replies
CreatePlease login to create content