Sergey, Those tuning parameters control the signature. Even so, the only ACKs that contribute to the threshold are those that are not part of an established connection. If you find that you are seeing this signature trigger for valid connections, the most likely explanation is that you have an asymmetrically routed network and your sensor is only getting to see one side of the connection.
Paul -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Sergey V Soldatov Sent: Tuesday, August 31, 2004 6:00 AM To: [EMAIL PROTECTED] Subject: [ISSForum] Stream_DoS signature In its security information that can be found on http://www.iss.net/security_center/reference/vuln/Stream_DoS.htm, it's noted that signature only considers ACK packets that are not associated with an active connection. But I've found that this signature is triggered whenever the number of ACKs exceed the pam.flood.ack.limit threshold within pam.flood.ack.interval seconds. Has anyone found the same? Please, correct me if I'm wrong. --- Best regards, Sergey V. Soldatov. tel/fax +7 095 745 89 50 (2663) _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
