Configuring Alert Suppression With Packet Log Response - McAfee M-1250 - Network Security Platform Configuration Manual

McAfee® Network Security Platform 5.1
•
•
•
•
•

Configuring alert suppression with packet log response

The
occurrences of a singular attack for a specific source-destination IP pair that is detected
within a limited time frame, as well as set up packet logging for the attacks—this is known
as Exploit throttling. Exploit throttling limits the number of duplicate alerts that are sent to
Manager from a Sensor. Throttling is very effective against repetitive Exploit attacks where
a source IP address is spoofed and generates a high number of alerts. In addition, the
Sensor saves the alerts and packet logs in first-in first-out (FIFO) buffers in the event it
loses communication with Manager, as well as when a Sensor generates alerts faster than
it can send to Manager. The Threat Analyzer Details View, displays this type of alert as
Exploit
Note:
shellcode attacks.
In Network Security Platform, an Exploit throttle alert is the grouping of multiple instances
of the same attack (by Attack ID) from a single source to a single destination detected by
the same VIPS (interface or sub-interface — if an interface has been segmented into sub-
interfaces, the interface is no longer the VIPS; the sub-interface is). Thus, the equation is:
AttackID + VIPS + Source IP + Destination IP + Count = Exploit throttle attack
The
throttle instances to maintain at a given time. For example, if you enter the number 10,
then 10 unique Exploit throttle instances can be tracked at a given time. Once 10 is
reached, all other cases are kept in a single "wildcard" instance; thus, other unique
combinations that occur outside of the 10 uniquely maintained instances are maintained as
one instance, and source and destination IP do not appear in the Exploit throttle summary
since multiple addresses may be involved. This is due to Sensor memory limits. A throttle
entry is removed after the time limit (
The
detected for a unique suppression instance to be classified as an Exploit throttle attack.
This number means you "accept" a specific number (x) of the same attack. Thus, if you
detect x-1 by the expiration of the interval (
each separate occurrence and there is no Exploit throttle. If there are x+1, the first x
attacks are sent as individual alerts and the attacks exceeding this count are throttled into
one alert that summarizes this persistent attack. By sending a few of the throttled alerts as
individuals allows you to view details and packet log information for the first few instances
of an attack.
The
same attack. This value acts as a timer; when the timer expires, the current instance is
cleared to make room for a new suppression instance.
In Network Security Platform 5.1.5.x, GRE tunneled traffic is also parsed. However,
only I-4010, I-4000, I-3000 and all M-series Sensors can parse GRE tunneled traffic.
The other Sensors just pass the traffic. See the
upgrade to Network Security Platform 5.1.5.x.
Only GRE version 0 is supported.
GRE traffic with sequence number options is just forwarded without being parsed.
GRE traffic with routing headers is just forwarded without being parsed.
For Sensors in fail-over mode, you need to enable tunneling on both the member
sensors for GRE tunneled traffic to be parsed.
Alerting and Logging
action enables you to set a suppression limit for multiple
Alert Count
with an of 2 or higher.
Alert suppression is unavailable for anomaly-based buffer overflow and
Maintain [ ] unique source-destination IP pairs
X
Send first [ ] as individual alerts
X
Suppress for [ ] seconds
X field is the time span in which you accumulate instances of the
Upgrade Guide
field determines the number of unique Exploit
Suppress for [ ] seconds
X
identifies the minimum number of alerts that must be
Suppress for [ ] seconds
X
176
The IPS Sensor_Name node
for information on how to
) has expired.
field), alerts are sent for