Showing results for 
Search instead for 
Did you mean: 
Level 7

IPS Sensor Denial of Service Relearns


I'm looking for some input on when the best times to perform an IPS sensor DoS relearn are.  The product guides mention only when network changes occur.  Are their other scenarios, like hardware upgrades, or IPS firmware upgrades that might be cause to perform this? 

0 Kudos
1 Reply
Level 11

Re: IPS Sensor Denial of Service Relearns

If by "Hardware Upgrade" you mean the IDS hardware, then the sensor and manager will capture a baseline for the first 48 hours.

If you mean't just general Infrastructure hardware, it depends on the depth of the changes...did you upgrade the switches/routers to handle more traffic and expect to see more traffic over the new segments? Did you add new end points that would produce more traffic? Did you recently expose a new server to the web that might generate more traffic etc...

If yes to any of those I would put the sensor back into learning mode, just realize that for those 48 hours you will not see DoS of DDoS alerts as the baseline is created.

IPS firmware will not require a relearn, the manager profile will contain the existing baseline. If you wanted to re-run the learning mode between major firmware changes i.e 8.1 -> 8.2 or 8.3 -> 9.1 then that would be another way to keep the data fresh.

It all boils down to what your company wants to do as a measure to keep the DoS profiles fresh.

DoS Prevention KB

McAfee Corporate KB - Network Security Platform Application Note: DoS Prevention Techniques PD22959

Best Practices KB - Search for DoS

McAfee Corporate KB - Network Security Platform 8.3 Best Practices Guide - Rev H PD26350

I hope this helps.


Matthew Jesmer

Former Senior Support Engineer NSP Platinum

0 Kudos