I wanted to use global summarization on the Nachi alarm 2156. I tuned that in the signature and set the alarm throttle time to 60 seconds. That worked, in that I get the summaries every 60 seconds, but the counts being reported are through the roof - about 60 times higher than actual. Does the sensor not clear the count when starting a new summary period? Any help / explanations appreciated...
The signature is written in such a way that it would fire many times for one Nachi packet. This is why the AlarmThrottle was set as FireOnce. The FireOnce prevents the alarm from firing multiple times for each packet. When you set GlobalSummerize you count will include ~20-30 alarms for each packet.
That explains it...mostly. Does is want to fire mutliple times because the string being looked for in the packet is repeated multiple times? I asked because I have sniffed the traffic and we are really only getting 30-60 per minute. If it is a case of a repeated string, could we tune it to stop looking at a certain offset?
Found it - posting this for anyone who wants to do this. Nachi signature matches on a regex pattern of 48 bytes of 0xaa. The packets I am getting from the Internet have 64 bytes of that pattern. Therefore, I get 17 matches per packet: the first match at offset 48, then slide over one and match again, then again, and so on up to byte 64.
The default signature setting of "FireOnce" prevents from seeing multiple hits normally, but when using GlobalSummarize, you are counting all those 17 hits for every packet, so the summaries are huge.
To fix this, set the MaxInspectLength to 47 (not 48, because in hex we start counting at 00 and we want to match through byte 47). This will give you one hit per packet (even if you set the AlarmThrottle to FireAll) and allows the GlobalSummarize setting to count properly.
I am afraid I do not know - I only learned about these tuning features using the IDS MC on VMS (when I had IDSMv1 blades I was using CSPM and I don't think I had the option). However, you should be able to create your own signature that works just like the canned one, and make it match on the entire 64 byte string instead of just 48 bytes. Then you could turn off the canned one.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :