Hello learnsec_0,
Here is an explanation of the deny-attacker-percentage/Deny Percentage attribute:
"The purpose of Deny Percentage is to filter a percentage of the sig actions.
The Deny Percentage subtracts a portion of the Deny Attacker, Deny Attacker Victim Pair, and Deny Attacker Service Pair Actions. (NOTE: Only set the Deny Percentage in the filter, do NOT select the action within the filter. Selecting the action will subtract the entire action.) When the action is added it will deny 100% of the packets. You can use the filter to lower this percentage below 100% (i.e. subtract a portion of the Deny Attacker action). If you match multiple filters (as described above) then the lowest percentage will be used. So if you match filters at 80%, 60%, and 70%, then the lowest 60% will be used. Only 60% of the packets will be dropped (40% allowed).
HOWEVER, this works primarily just for ICMP and UDP. You can't Deny a percentage of TCP. So 100% of TCP will always be denied. This leads to weird results with you do something like set Deny Percentage to 50% and the sig has a Deny Attacker action set. If 80% of the packets are TCP and 20% are ICMP or UDP. Then 100% of the TCP will be denied, and almost ALL of the ICMP and UDP will be allowed through. The requested Deny Percentage will be 50% but the actual will be around 80%."
I agree, this is confusing in its current implementation. I'll speak with the BU about how we can improve this feature and follow up in this thread.
Thank you,
Blayne Dreier
Cisco TAC Escalation Team
**Please check out our Podcasts**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
TAC IPS Media Series:
