1 of 1 people found this helpful
First question to ask is if they brought up any new systems/service that could be causing this? If yes, Dos Profile for the interface should be set to learning mode (even on detection mode the sensor still learns but if the change is so dramatic that triggers the alerts, maybe set it to learning mode on the busier periods)
Second, what type of traffic they have? Does it vary with seasons? I.e. more traffic over weekends or Xmas or Football Games? If so, lower the dos sensitivity on the policy to low? Again, maybe learning mode over busier periods in combination with a lower sensitivity may help.
You could also disable the DoS Anomaly alerts for their policy, but looking at traffic patterns (when does the alert trigger, and possible causes) should help you tune sensitivity or set sensor into learning mode if required.
The Dos Alerts generated should show you the top 3 IP sources/destinations and packet rate anomaly, so that should help you understand what the src/dst ip is.
On the sensor's CLI, 'show dospreventionprofile' will also provide valuable information - check the CLI guide for details on how to read the output.
And finally.. not sure about trusting the customer on the 'it is normal traffic' If they can explain why they say is normal... it'ss a good start and should help you tune the devices... but if they say 'it is just normal'.. well....