Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
252
Views
5
Helpful
1
Replies

IDS Filtering Nachi Alarms

fregon
Level 1
Level 1

‎11-06-2003 03:44 PM - edited ‎03-10-2019 01:28 PM

Hi,

We just deployed IDS-sig-3.1-4-S58.bin on our sensor and everything works ok.. too well I will say. We are getting flooded with Nachi Alarms, approx 10k a day. Is there a way to filter the alarms so we do not get reported on them as much or at all? We currently have CSPM 2.3.3i. There is a filtering tab in CSPM under the sensor policy, but modifying or excluding the signature 2156 has not changed the amount of notifications we receive.

Thank you!

Labels:
0 Helpful
1 Reply 1

bfl1
Level 1
Level 1

‎11-06-2003 07:41 PM

You have a couple options available to you. If you go into signature configuration, you can configure how the signature is reported - by altering the alarmthrottle. The alarmthrottle limits the number of alarms sent to the IDS management device.

You have available under AlarmThrottle:

FireAll - Send all alarms when the signature conditions are met.

FireOnce - Send the first alarm when the conditions are met. Then, do not send any more alarms from the same SOURCE and DESTINATION address COMBINATION.

Summarize - Send only one alarm per "throttleinterval" per address combination"

GlobalSummarize - Similar to summarize parameter but expands to all address combinations instead of one. For example, once an alarm is sent the sensor counts the subsequent alarms per the throttleinterval for all address combinations being monitored. This will reduce the number of alarms triggered during flood attacks.

hope this helps

Customers Also Viewed These Support Documents