Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: jim terry (jtixthusexcite.com)
Date: Mon Dec 24 2001 - 00:58:19 CST
I would like to ask a few more questions. The first is about the ability to
enhance embedded signatures in sensor v3.0. Why do I want to do this in the
SigWizMenu as opposed to the Signatures section in CSPM?
The next one is I turned on signature 6910 (NetFlood UDP)in CSPM. This
caused hundreds of false psitives and the NDSB said:
This signature is disabled by default. In order to properly utilize
this signature, it must be put into "diagnostic" mode. This is done by
enabling the signature, setting the "Rate" parameter to zero, and letting
the sensor operate for a period of time. While in "diagnostic" mode, alarms
will be generated with the current rate of all UDP traffic. Using these
rates, a threshold should be chosen to indicate when the level of all UDP
traffic is no longer within the acceptable range for the network being
monitored. After the threshold is determined, it should be used as the value
of "Rate" parameter for this signature. Note: This signature should not be
left in "diagnostic" mode for permanent operation due to the performance
overhead created by monitoring traffic rates.
Do I set the rate to zero in the SigWizMenu? Additionally, how do I tell
what the threshold should be?
Lots of questions I know.
Thanks for your patience.
Send a friend your Buddy Card and stay in contact always with Excite Messenger