The Signature "Net Flood" don't work.

AndreyNevostruev · ‎05-06-2014

Hi!

I want to tune IPS module (SSP) in ASA-5545-X for work with the signature 6920/0 (Net flood TCP), 6910/0 (Net Flood UDP) and 6901 (Net Flood ICMP ..).

My settings:

signatures 6901 0
status
enabled true
retired false
exit
exit
signatures 6902 0
status
enabled true
retired false
exit
exit
signatures 6903 0
status
enabled true
retired false
exit
exit
signatures 6910 0
status
enabled true
retired false
exit
exit
signatures 6920 0
engine flood-net
event-action produce-alert|produce-verbose-alert
exit
status
enabled true
retired false
exit

The parameter "rate" in signatures is default, but I don't see an alert. The alert must be sent every 30 second with "Rate" = 0.

Thanks!

AndreyNevostruev · ‎05-06-2014

P.S. I use promiscuous mode and I sure my IPS to work, because a other signature are work correctly.

AndreyNevostruev · ‎05-07-2014

I had rebooted the module and signatures worked.