Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
2
Replies

event summarization...again

mhellman
Level 7
Level 7

‎07-13-2006 05:14 AM - edited ‎03-10-2019 03:05 AM

I didn't get much traction with my last attempts to understand event summarization, so I'll give a real example. I've modified the ftp authorization failure sig (6250-0) as follows:

Event Counter

------------------

Event Count: 10

Event Count Key: Attacker and victim addresses

Specific Alert Interval: No

Alert Frequency

--------------------

Summary Mode: Summarize

Summary Interval: 600

Summary Key: Attacker and victim addresses

Specify Global Summary Threshold: No

I was hoping that during a sustained ftp brute-force attempt, this would limit the number of alerts to 2 per 10 minute period (the initial alarm and the summary alarm). Alas, if fires the summary alarm exactly 15 seconds after the initial alarm. Then it fires the initial alarm, and then 15 seconds it fires another summary alarm....and so on. What are the correct settings if I want the 2 alarms every 10 minutes? Is there a _good_ technical description of these features anywhere?

Labels:
0 Helpful
2 Replies 2

Fernando_Meza
Level 7
Level 7

‎07-13-2006 06:09 PM

Hi .. a brief explanation of your configuration..

Event Counter: It is configured so that for signature 6250-0 one alert is generated only after 10 instances of the signature's firing has been detected.

Alert Frequency: It will generate the original alert and then one summary alert every 10 minutes

Are you sure the alerts been generated are reporting the same aatacker and victim address ..?

0 Helpful

mhellman
Level 7
Level 7
In response to Fernando_Meza

‎07-14-2006 04:55 AM

yes.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card