06-12-2006 04:41 AM - edited 03-10-2019 03:03 AM
Is there a trick to getting the signature 3050 ?half open syn flood? to produce an alert?
The Cisco Intrusion Prevention System is on version 5.1(1p1) S229.0.
We have tuned the signature to alert at 2048 half open connections.
syn-flood-max-embrionic: 2048 default: 5000
A ?show statistics virtual-sensor? shows that
TCP streams currently in the embryonic state = 2871?
but still no alert appears on the console.
The signature use the normalizer engine and the event-action is set to ?produce-alert?
Any help regarding this would be appreciated.
06-12-2006 06:45 AM
What type of sensor are using?
On the ASA-SSM-10 and ASA-SSM-20, the normalizer signatures will not be triggered (including the Syn Flood signature).
The ASA-SSMs relie on the TCP Normalization features of the ASA itself to monitor for TCP anomalies including SYN Floods.
For other sensors realize that the SYN Flood signature is tracked on a per server and per port basis. So with a 2048 setting there must be 2048 embryonic connections to a specific port on a specific server IP.
The 2871 number you are seeing in the statistic is for ALL embryonic connections to ALL ports on ALL server IPs. If this is a deployed sensor it is unlikely that all 2871 embryonic connections from the statistics are to the same server IP/port.
06-12-2006 08:14 AM
Hi Marco
thanks for your reply. The problem occurs on a 4250-SX model sensor. I have also noticed that when I set the flood signatures to a rate of 0 in order to get the threshold correct, no alerts are produced and consequently no events are received at the CiscoWorks console
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide