Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Sig. on traffic jump or number of connections

What do you think about following signatures?

- Signature(s) with threshold on incoming/outgoing traffic (total, by networks or IP)

- Signature(s) with threshold on number of connection (by protocol: ICMP/UDP/IP), port (80, 443, etc) or IP range

Think using such signatures will allow to detect DDoS, worms, etc much faster/easy.

Sorry, I missed such signatures in current IDS…

Cisco Employee

Re: Sig. on traffic jump or number of connections

You might try looking at the following signatures:

6901-Net Flood ICMP Reply

6902-Net Flood ICMP Request

6903-Net Flood ICMP Any

6910-Net Flood UDP

6920-Net Flood TCP

You could also try creating your own custom signatures using the following engines:

1 - ATOMIC.ICMP Simple ICMP alarms based on Type, Code, Seq, Id, e.

2 - ATOMIC.IPOPTIONS Simple L3 Alarms.

3 - ATOMIC.L3.IP Simple L3 IP Alarms.

4 - ATOMIC.TCP Simple TCP packet alarms based on TCP Flags, ports.

5 - ATOMIC.UDP Simple UDP packet alarms based on Port, Direction .

6 - FLOOD.HOST.ICMP Icmp Floods directed at a single host

7 - FLOOD.HOST.UDP Udp Floods directed at a single host

8 - FLOOD.NET Multi-protocol floods directed at a network segmen.

9 - FLOOD.TCPSYN Connections to multiple ports using TCP SYN.

To learn more about the engines refer to:

New Member

Re: Sig. on traffic jump or number of connections

I think it’s some kind of the same "feature" I need. My version is CSPM 2.3.3i and 4230 version

My needs is to make the sensor detect the total connections from a source ip address to the same destination ip address within a definable interval (time in minutes) and if that total connection reach a defined max it generate an event (and thereby the possibility to block).

I haven’t been able to find any doc on if this is possible in CSPM 233i.

Is it possible? And how to do?



CreatePlease to create content