IDS Signature Questions


I have a couple of questions about a particular signature. It is the SYN BOMB. Everytime I see this signature, when I go to take a look at what it might be, there are never any packet details. I am certainly no IDS expert by any means and I wonder how you tell if it is a false positive or not if there are no details of any kind. If it is, how do you turn it off. I have looked in my policies and cant even find it.

1 reply

The SYN BOMB event indicates a possible denial of service attack against a target. In order to configure this event, go to Configuration -> Security Zones -> [select either Global or zone] -> Advanced. Then, on the lower section of the screen (Modules), select the Transport Layer module. The on line help has a great description of the SYN BOMB detection. You can adjust the threshold of outstanding SYN packets per server on this screen. Also, if you would like to prevent events of this (or any type) from being generated, either in general or on a particular IP or range, you can use the Event Tuning wizard. The Event Tuning wizard can be launched from the event detail window.

Reply