Any suggestions on tuning the 6901 - 6920 signatures? Without having these signatures enabled I am missing out on a lot of activity outside of the firewall. But when they are enabled, getting way too many alarms. I realize you can change the MaxPPS, but then again, you might miss out on some good info.
The FLOOD.NET Engine analyzes traffic at the sensor's "Global" level, so it does not care about IP addresses. It watches the Packets Per Second (PPS) of a particular L4 traffic type and will
send an alarm when its PPS threshold has been exceeded.
You first start with the alarms in "DIAG" mode, by setting the
parameter "Rate" to 0. It will send you a regular alarm with the
Maximum PPS the sensor saw that interval (every 30 sec).
Collect this information for one day so you can see your daily norms.
Analyze the MaxPPS trends and determine your normal maximum.
Use this value to tune the signature's Rate parameter. By setting a non-zero Rate parameter, you make the signature "LIVE" instead of "DIAG", so it will only send you an alarm when the threshold has been exceeded.
Notes on the threshold:
The three parameters: Rate, Peaks, and Gap are used for the threshold setting.
Rate is the Packets Per Second to cause a 'Peak' to be counted.
You should set your Rate to between 1.2 and 2.5 times your normal daily max.
You don't want to set the value too high such that it would be impossible on your network segment to achieve the Rate. A value too low could result in frequent alarms.
Peaks is the threshold number of seconds that the Rate was exceeded (a Peak). A lower value here (such as 2) means that any two seconds in the 'ThrottleInterval' where PPS > Rate will cause an alarm.
Gap is the number of seconds between the peaks that will cancel the alarm. If the peaks happen 10 seconds apart and the Gap is 5, the alarm will not fire (unless Peaks is set to 1).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :