What is the recommended way to deal with DOS threshold alerts?
We have sensors on an a few gig links to some DMZ zones. We've done the whole "put sensor into learning mode to learn profile of network traffic", but even then, the default value of thresholds doesn't change..
For exmaple, there is an attack called "Outbound Link Utilization (Bytes/Sec) Too High"..the threshold is 75 bytes/sec for 5 seconds...and we blast that threshold away....
Is ti recocommended to adjust that threshold? If so, what should be the proper setting? What do other folks do with those DOS threshold attacks...do you just disable and ignore them?