Hi all,

I would like to ask a few more questions. The first is about the ability to
enhance embedded signatures in sensor v3.0. Why do I want to do this in the
SigWizMenu as opposed to the Signatures section in CSPM?

The next one is I turned on signature 6910 (NetFlood UDP)in CSPM. This
caused hundreds of false psitives and the NDSB said:

     This signature is disabled by default. In order to properly utilize
this signature, it must be put into "diagnostic" mode. This is done by
enabling the signature, setting the "Rate" parameter to zero, and letting
the sensor operate for a period of time. While in "diagnostic" mode, alarms
will be generated with the current rate of all UDP traffic. Using these
rates, a threshold should be chosen to indicate when the level of all UDP
traffic is no longer within the acceptable range for the network being
monitored. After the threshold is determined, it should be used as the value
of "Rate" parameter for this signature. Note: This signature should not be
left in "diagnostic" mode for permanent operation due to the performance
overhead created by monitoring traffic rates.

Do I set the rate to zero in the SigWizMenu? Additionally, how do I tell
what the threshold should be?

Lots of questions I know.

Thanks for your patience.

JT

______________________________________________________________________________
Send a friend your Buddy Card and stay in contact always with Excite Messenger
http://messenger.excite.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]