Re: 4.1 Sensor - Sig 2100 IDSMC DoS

darrenb15 · ‎08-25-2003

Any idea why IDSMC would show 2100 disabled for a 4.1 Sensor, but the alerts are still being generated? We've got the Welchia worm and it's killing my database.

marcabal · ‎09-12-2003

It may be possible that the configuration modification made in the IDSMC was not pushed to the sensor, or the push of the configuration to the sensor has failed.

If you are still receiving 2100 alarms from the sensor then ssh to the sensor and type of the following commands:

configure terminal

service virtual-sensor-configuration virtualSensor

tune-micro-engines

sweep.host.icmp

signatures SIGID 2100

show settings

Look at the setting for the Enabled parameter:

Enabled: True

If it is set to True then the configuration change to Disable the signature did not get properly pushed to the sensor.

If it is set to False then the configuration change to Disable the signature did get pushed to the sensor. If Enabled is set to False, but the sensor continues to generate 2100 alarms then contact the TAC.

NOTE: If instead of Disabling the signature you meant that the signature was Filtered through IDS MC then could be that the generated alarms are not being properly matched by the created filter.

This often happens when enough of the alarms are firing to cause the alarm to go into Global Summary Mode where the IP Addresses are being replaced with 0.0.0.0 and will not match the filters you had created. In these scenarios it is best to Disable the signature, or configure the signature with the highest possible ChokeThreshold to prevent it from going into Global Summary mode.

I would need to see the actual alarms being created and the output from the following commands on the sensor to determine what is happening:

configure terminal

service alarm-channel-configuration virtualAlarm

tune-alarm-channel

show settings