Would like to know how should I start my investigation if the IPS triggered lots of these alerts "Inbound/Outbound Non-TCP-UDP-ICMP Volume too high" as there is no source/dest ip provided.
What will be the "Non-TCP-UDP-ICMP" likely to be?
as described in attack description:
Packets involved in this attack may include IPSec and malformed IP packets (IP with bad checksums, inconsistent length, etc.). An attacker may be attempting to cause denial of service by sending a large volume of such packets in a short period of time.
Technicaly it is statistical anomaly. We block such "attacks" on our external lines.
I will think a relearn will be more appropriate
Same issue, but we did make a network change and now I need the steps to "relearn" or reset the base line.
Select <Admin Domain Name> / IPS Settings / Sensor_Name | Advanced Scanning | DoS Data Management to view the
DoS Data Management page.
Select Rebuild the DoS Profiles (start the learning process from scratch)
There was a bug in sensor soft where you don't see src or dest and have those alerts. I would bet this was this issue.