I auditing the IPS alerts about Volume DoS. I not found the McAfee document which explain these packet types McAfee defined. So I have some questions, pls explain:
1. What are packet types McAfee defined?
2. Packet type name "Link_Discarded". (example: IN_LINK_DISCARDED_PKT_CNT). What's that?
3. What's the case that sensor doesn't see the Src, Dst IPs in Volume DoS event?
Have you looked at the NSP DoS Prevention Techniques guide?
For point 3 this is probably just Alert Throttling, look at these KB articles which explains how it works.
Understanding Network Security Platform alert suppression (throttling) and implementation
How to list source and destination IP for alerts suppressed by alert throttling
Hope this helps
Point 3 is cleared. However, I sill don't find the answers for point 1, 2 from that document. If possible, could you tell me these anomalies on above photo?
I didn't realize this was an issue with an NTBA appliance, I'm not very familiar with them.
If you can't find any details in the NTBA documentation it's probably best to call support and ask them to explain it.