Is there a place to adjust the threshold of what constitutes an Inbound UDP Packet volume attack? I want to see these but we have 1Gig SIP trunks with a large amount of traffic where valid non-attack calls UDP (RTP) are being deemed as an Attack which in reality they are not an attack - they are good calls. I would like to bump the threshold up to normalize our environment.
I found can change in in "Thershold Mode" under Policy - Advanced - Default IPS Attack Settings
I don't think this is going to solve my problem because it appears the alerts I get in email and on dashboard are from Learning Mode which you can't change?
You could recreate the recon profile...