About npham

npham · 10-24-2006

Looking to shed some light into the behavior of the Flood Engine.According to Cisco documentation:The Flood engine defines signatures that watch for any host or network sending multiple packets to a single host or network. For example, you can create...

npham · 07-07-2006

For v4.x sensors, support for Attacker/Victim Loc is defined through setting address ranges in IPS MC > Conf > Settings > Internal Networks (IDS 4.x)After upgrading a 4.x sensor to 5.x, the internal networks (stored in $IN) now show up in Event Varib...

npham · 01-18-2006

CSA 4.5.1 only lists Sol 8; 5.0 lists up to Sol 9.Is there an expected ETA for support on Solaris 10 or would one of the current CSA versions be okay to use?

npham · 06-08-2004

Anyone try and modify sig 3002's parameter ResetAfterIdle and notice that no matter what high value you give it, the sig does not fire with a SYN port scan delaying for more than 66 seconds?The default value for sig 3002,ResetAfterIdle = 20Unique = 5...

npham · 05-20-2004

Sig # 2001 fires when there are ICMP type 3 packets. This message type is more correctly described as Destination Unreachable (refer to IANA).The signature triggers on all type 3 messages, but to be accurate to the NSDB description, it should only t...

npham · 11-24-2006

Sorry if this sounds blunt or callous, but perhaps a bit more career development in the information security field is in order. If time is short, I suggest engaging a consultant or consulting firm which specializes in the infosec field to assist yo...

npham · 11-08-2006

From this understanding that retired signatures are not active in the sensors memory, what is the state of a signature that is retired but enabled?

npham · 11-01-2006

Thank you for looking into the matter. IMHO, event summarization for flood signatures is more desirable then outright filters. And as indicated in other sig tuning threads, filters are not a good option if event summarization is happening.Perhaps l...

npham · 09-14-2006

What version are you running, 4.x or 5.x codebase?I openned a case with Cisco long ago to get an answer on what this error message really means, and did not get a straight answer. The condition seems to come about when the sensor is unable to keep u...

npham · 08-17-2006

You will need the Recovery/Upgrade CD that came with your sensor. Most likely it will be a 4.1 disk. Stick the disk in, and power cycle the sensor. Follow the onscreen prompts. To go onto 5.1, download the following from CCO and follow the direct...

Member Since	‎05-18-2004 10:05 AM
Date Last Visited	‎08-18-2017 03:51 AM
Posts	44
Total Helpful Votes Received	14

User Statistics

User Activity

tuning Flood Engine sigs

no ability to define Attacker/Victim Loc in IPS v5.x?

CSA on Solaris 10?

Sig# 3002 TCP SYN Port Sweep for slow scan detection

inaccurate NSDB desc for sig #2001 ICMP Host Unreachable

Re: IPS support SSL encrypted threat protection

Re: disabled vs. retired sig

Re: tuning Flood Engine sigs

Re: IDSM-2: "out of superblocks" error after crash

Re: Reimaging a sensor?