Table of Contents
Advertisement
164 Detecting
Configuring sensor detection
The default value is true. Enabling this parameter impacts performance because
it increases the size of each event record in the event database. However, it
provides valuable information about which packets caused which alerts. If
enabled, the Network Security console displays all packet data in the Advanced
tab of the Event Details.
To disable the collection of full packet data, change the value to false. If you
disable this parameter, the Network Security console displays only packet
header data in the Advanced tab of the Event Details.
Note: For software nodes, enabling this parameter can increase the size of the
event database and reduce sensor performance. Do not install Symantec
Network Security in the same partition as the operating system (the "/"
partition) if disk space is low. The Network Security console displays low disk
space events for less than 100,000 free blocks and less than 10% free space in
the partition where it is installed. In earlier versions, the default value was false.
See
"Viewing event details"
on page 197.
Threshold parameters
Symantec Network Security uses statistical methods to detect flood attacks by
examining the types of traffic across the wire and the changes in traffic over
periods of time. For example, if the system suddenly receives more requests
than it can respond to, Symantec Network Security flags these events as a
possible DoS attack. It generates events when traffic exceeds preset thresholds;
that is, when a particular type of traffic exceeds a certain percentage of the
traffic as a whole. For example, if a large percentage of traffic on a link is ICMP,
it might indicate a ping flood.
The following parameters set threshold levels for floods, scans, and sweeps. If
activity levels remain below thresholds, the sensor detects the traffic but does
not notify you. Breaching thresholds triggers an alert.
TCP Flood Alert Threshold
TCP Flood Alert Threshold regulates the level at which the sensor notifies you of
a TCP flood. If the sensor detects a greater percentage of unacknowledged TCP
connections than the Threshold, it triggers a flood event.
The default is set to 0.50 (50%) for a high level of sensitivity. Valid values range
from 0 to 1. A value of 1% is extremely sensitive, which impacts system
performance somewhat if it generates a high volume of alerts. It interacts with
Streak Interval
and
TCP Number of Streak
Packets.
Advertisement
Table of Contents
