Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Net Flood Signature Tuning

Any suggestions on tuning the 6901 - 6920 signatures? Without having these signatures enabled I am missing out on a lot of activity outside of the firewall. But when they are enabled, getting way too many alarms. I realize you can change the MaxPPS, but then again, you might miss out on some good info.

Thanks.

1 REPLY
New Member

Re: Net Flood Signature Tuning

The FLOOD.NET Engine analyzes traffic at the sensor's "Global" level, so it does not care about IP addresses. It watches the Packets Per Second (PPS) of a particular L4 traffic type and will

send an alarm when its PPS threshold has been exceeded.

You first start with the alarms in "DIAG" mode, by setting the

parameter "Rate" to 0. It will send you a regular alarm with the

Maximum PPS the sensor saw that interval (every 30 sec).

Collect this information for one day so you can see your daily norms.

Analyze the MaxPPS trends and determine your normal maximum.

Use this value to tune the signature's Rate parameter. By setting a non-zero Rate parameter, you make the signature "LIVE" instead of "DIAG", so it will only send you an alarm when the threshold has been exceeded.

Notes on the threshold:

The three parameters: Rate, Peaks, and Gap are used for the threshold setting.

Rate is the Packets Per Second to cause a 'Peak' to be counted.

You should set your Rate to between 1.2 and 2.5 times your normal daily max.

You don't want to set the value too high such that it would be impossible on your network segment to achieve the Rate. A value too low could result in frequent alarms.

Peaks is the threshold number of seconds that the Rate was exceeded (a Peak). A lower value here (such as 2) means that any two seconds in the 'ThrottleInterval' where PPS > Rate will cause an alarm.

Gap is the number of seconds between the peaks that will cancel the alarm. If the peaks happen 10 seconds apart and the Gap is 5, the alarm will not fire (unless Peaks is set to 1).

A good "tuning" may look like:

Engine FLOOD.NET

SIGID xyz . . .

ThrottleInterval 30

Rate 750

Peaks 4

Gap 20

You can do this for ICMP, TCP, and UDP packets.

You can specify the IcmpType field if interested.

TCP packets count only when the SYN flag is set.

Good luck,

let us know how it goes.

-JK

145
Views
0
Helpful
1
Replies
CreatePlease to create content