1 Reply Latest reply on Nov 30, 2011 3:45 PM by SGROSSEN

    DOS and Network threshold....still blocking traffic even in IDS mode?

    ottawa_tech_31

      We``ve stumbled onto something REALLY weird...

       

      We have a bunch of 4010 sensors, with fail-open kits, so all ports are inline.

       

      We have the IDS policy on those sensors, so it shouldn`t be blocking anything at all..

       

      However, we appear to have experiencing something different.

       

      When the kits/ports are ON, this app has issues, turn them off and the app works fine....deploy the NULL policy, and the app works fine...

       

      We look at some thresholds (like UDP packets/ sec) and it`s set super low (it`s a gig link and the threshold is 75 packets/second)...

       

      The default attack settings for some DOS and threshold seem to be NOT to send alerts to the manager...

       

      Anyone else seen this?

       

      Thanks

        • 1. Re: DOS and Network threshold....still blocking traffic even in IDS mode?
          SGROSSEN

          Couple thoughts

          1.)  make sure you don't have auto aknowledge set for DOS alerts.  In your Policy applied, check the alert setting > Notifications > Auto Ack.

          This setting will move alert straight to historical threat analyzer and will seem as if it never got sent to NSM (unless you open Historical RTA)

           

          2.) Same goes for Global Auto Ack... in NSM > Manger > Misc > Global Ack (by threshold level)

           

          You can also check "show inlinepacketdropstats" from sensor CLI.   If the sensor is dropping packets in error, these counters will rise when checking these during the issue.  The problem may be outside the scope of normal operation in which case I'd open up a case with Support.

           

          Message was edited by: SGROSSEN on 11/30/11 3:45:11 PM CST