Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Looking to shed some light into the behavior of the Flood Engine.According to Cisco documentation:The Flood engine defines signatures that watch for any host or network sending multiple packets to a single host or network. For example, you can create...
For v4.x sensors, support for Attacker/Victim Loc is defined through setting address ranges in IPS MC > Conf > Settings > Internal Networks (IDS 4.x)After upgrading a 4.x sensor to 5.x, the internal networks (stored in $IN) now show up in Event Varib...
CSA 4.5.1 only lists Sol 8; 5.0 lists up to Sol 9.Is there an expected ETA for support on Solaris 10 or would one of the current CSA versions be okay to use?
Anyone try and modify sig 3002's parameter ResetAfterIdle and notice that no matter what high value you give it, the sig does not fire with a SYN port scan delaying for more than 66 seconds?The default value for sig 3002,ResetAfterIdle = 20Unique = 5...
Sig # 2001 fires when there are ICMP type 3 packets. This message type is more correctly described as Destination Unreachable (refer to IANA).The signature triggers on all type 3 messages, but to be accurate to the NSDB description, it should only t...
Sorry if this sounds blunt or callous, but perhaps a bit more career development in the information security field is in order. If time is short, I suggest engaging a consultant or consulting firm which specializes in the infosec field to assist yo...
Thank you for looking into the matter. IMHO, event summarization for flood signatures is more desirable then outright filters. And as indicated in other sig tuning threads, filters are not a good option if event summarization is happening.Perhaps l...
What version are you running, 4.x or 5.x codebase?I openned a case with Cisco long ago to get an answer on what this error message really means, and did not get a straight answer. The condition seems to come about when the sensor is unable to keep u...
You will need the Recovery/Upgrade CD that came with your sensor. Most likely it will be a 4.1 disk. Stick the disk in, and power cycle the sensor. Follow the onscreen prompts. To go onto 5.1, download the following from CCO and follow the direct...
