I'm looking for some guidelines for the flood signatures
ICMP Flood
UDP Flood
Net Flood ICMP Request
Net Flood ICMP Reply
Net Flood ICMP Any
Net Flood UDP
I have used the "diagnostic" mode to determine values for these signatures but I am really not sure if the values that I have chosen are not maybe to high. I wonder if anyone would be able to share some information/guidelines on values they consider to be normal in a network. > Say for instances min/max values for small, medium and large networks.
What maximum levels should be considered as totally abnormal for each of these events.
Do people choose to filter certain hosts for these alarms like for instance network management station; dns servers etc. after averages have been determined.
Should a rule of thumb be never filter source or destinations for these events?
Any ideas would be greatly appreciated