Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
2
Replies

Rash of Sig IDs 994 & 995 after updating to 3.0(1)S4

rsmith
Level 1
Level 1

‎02-26-2002 10:59 AM - edited ‎03-08-2019 09:55 PM

After I updated the IDS signatures to 3.0(1)4 I have been receiving a ton of sig IDs 994 and 995...saying "Traffic Status Up" or "Traffic Status Down". What is the problem here?

When I check the connection status between the CSPM and the sensor, everything is fine and all my services appear to be running too.

Thanks

Labels:
0 Helpful
2 Replies 2

brenden
Level 1
Level 1

‎02-26-2002 11:30 AM

I wouldn't know but one advice would be to upgrade all the way up to 3.0(5)S17?

3.0(1)S4 is pretty old.

0 Helpful

marcabal
Cisco Employee
Cisco Employee

‎02-26-2002 11:42 AM

The 994 and 995 sigs are new in 3.0(1)S4.

The 995 fires when the sensor interface is physically unplugged (workd only for IDS-4210), or when the sensor stops receiving any packets on it's monitoring interface (all IDS-42xx sensors).

The 994 fires when the sensor starts seeing packets again.

So either you network is very quiet for some periods, in which case the sensor will fire the 995 when no more packets are seen, and 994 when it starts back up (typical in lab environments).

Or your sensor is being physically unplugged for short periods of time.

Or the switch that your sensor is connected to may be rebooting or breaking connection with the sensor for short periods of time.

These signatures can be configured through SigWizMenu (I belive they are also in nrConfigure for hte Unix Director):

LinkStatusSeverity—You can change the alarm severity of the link status alarms (0-5, 0=off, 5=most severe) - Severity of the 995 sig when it fires for the interface being physically disconneted on the IDS-4210 sensor. The 995 sig could fire when the interface is unplugged or if the sensor doesn't see anymore traffic, and each scenario has a different severity.

NoTrafficTimeout—The number of seconds of no traffic to fire the traffic flow alarm (10-1000) - This tells the sensor how long there shouldn't be any traffic to fire the 995 sig.

TrafficFlowSeverity—You can change the alarm severity of the traffic flow alarms (0-5, 0=off, 5=most severe) - severity for both the 995 and 994 sigs when they are firing because of not seeing traffic.

0 Helpful
Customers Also Viewed These Support Documents