Algorithm settings¶
The table below lists the additional settings that can be used to tune individual FA algorithm behavior.
Algorithm Name |
Setting |
Description |
|---|---|---|
Auto Investigate |
Candidate Limit |
The maximum number of Violator->Policy->Target links to review for correlation. |
Auto Investigate |
Chain Max |
The maximum number of Violator->Policy->Target chains that will be considered for deduplication. |
Auto Investigate |
Length Limit |
The maximum length of any chain of Violator->Policy->Target links. |
BotNet Detection |
Threshold |
Number of unique No Existing Domain (NXDOMAIN) replies within a three-minute period to trigger alarm |
DDoS Detection |
DDoS Bytes Deviation |
Maximum number of bytes allowed in a single standard deviation to trigger (default 10) |
DDoS Detection |
DDoS Packet Deviation |
Maximum number of packets allowed in a single standard deviation to trigger (default 10) |
DDoS Detection |
DDoS Packets |
Number of packets each source must have sent to be counted |
DDoS Detection |
DDoS Unique hosts |
Minimum number of unique hosts participating in a DDoS attack |
Denied Flows Firewall |
Denied Threshold |
The number of denied flows from a single host within a three-minute period to trigger an event |
DNS Command and Control Detection |
DNS Command and Control attempts |
DNS Command and Control attempts within a three-minute period to trigger alarm |
DNS Command and Control Detection |
DNS Command and Control bytes |
DNS Command and Control bytes within a three-minute period to trigger alarm |
DNS Data Leak Detection |
DNS Data Leak attempts |
DNS Data Leak attempts within a three-minute period to trigger alarm |
DNS Data Leak Detection |
DNS Data Leak bytes |
DNS Data Leak bytes within a three-minute period to trigger alarm |
DNS Hits |
Flow Threshold |
The number of DNS requests within a three-minute period to trigger an event |
DNS Server Detection |
Flow threshold to trigger alarm |
Number of properly formatted DNS request packets sent to the specified IP address to trigger alarm |
DRDoS Detection |
CharGen (UDP 19) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
DNS (UDP 53) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
Flow Imbalance Threshold |
How many inbound packets per outbound packet to trigger a DRDoS alarm |
DRDoS Detection |
LDAP (UDP 389) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
Memcached (UDP 11211) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
NetBIOS Name Server (UDP 137) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
NTP (UDP 123) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
Quote of the Day (UDP 17) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
RPC Portmap (UDP 111) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
Sentinel (UDP 5093) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
SNMP (UDP 161,162) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
SSDP (UDP 1900) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
Trivial File Transfer Protocol (UDP 69) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
FIN Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
FIN Scan |
Flow Threshold |
The number of FIN flows from a single host within a three-minute period to trigger an event |
FIN Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
FIN Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
Host Indexing |
Days of host index data retention |
The host index entries last seen more than this many days ago will be trimmed. |
Host Indexing |
Host Index Database |
File path of Host Index. *Background service must be restart from CLI after update. Service will start clean in new location. |
Host Indexing |
Host Indexing Domain Socket |
File path of Host Indexing Domain Socket |
Host Indexing |
Host Index Max Disk Space |
Maximum combined disk space threshold for host indexing (in MB). Warning events sent at 75%, indexing temporarily suspended at 100% until record expiration frees space. |
Host Indexing |
Host Index Sync Interval Minutes |
The sync interval in minutes for each index update |
Host Indexing |
Host to Host Database |
File path of Host-to-Host Index. Leave blank to disable Host-to-Host indexing. *Background service must be restart from CLI after update. Service will start clean in new location. |
Host Indexing |
Window Limit |
The maximum number of records considered on each index update |
Host Reputation |
Aggregate Timeout |
Aggregate similar alarms until there are no new alarms for over N minutes (default 2 hours = 120 minutes, zero to disable aggregation) |
Host Reputation |
Threshold |
Number of bytes (octets) within a three-minute period to trigger alarm |
ICMP Destination Unreachable |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
ICMP Destination Unreachable |
Flow Threshold |
The number flows from a single host triggering an ICMP Destination Unreachable reponse within a three-minute period |
ICMP Destination Unreachable |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
ICMP Destination Unreachable |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
ICMP Port Unreachable |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
ICMP Port Unreachable |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
ICMP Port Unreachable |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
ICMP Port Unreachable |
Threshold |
The number flows from a single host triggering an ICMP Port Unreachable reponse within a three-minute period |
IP Address Violations |
Threshold |
Number of bytes (octets) within a three-minute period to trigger alarm |
Large Ping |
Size Threshold |
Average packet threshold for determining a large ping packet. |
Lateral Movement Attempt |
Backdoor Threshold |
Number of destination hosts on backdoor ports to trigger alert |
Lateral Movement Attempt |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
Lateral Movement Attempt |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
Lateral Movement Attempt |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
Lateral Movement Attempt |
IOT Threshold |
Number of destination hosts on IOT ports to trigger alert |
Lateral Movement Attempt |
Remote Access Threshold |
Number of destination hosts on remote access ports to trigger alert |
Lateral Movement Attempt |
Windows Remote Access Threshold |
Number of destination hosts on Windows remote access ports to trigger alert |
Medianet Jitter Violations |
Jitter by Interface |
The millisecond variation in packet delay caused by queuing, contention and/or serialization effects on the path through the network. Default = 80 ms. This is also used for record highlighting in Status reports. |
Multicast Violations |
Threshold |
Number of bytes (octets) within a three-minute period to trigger alarm |
NULL Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
NULL Scan |
Flow Threshold |
The number of flows from a single host within a three-minute period to trigger an event |
NULL Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
NULL Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
Odd TCP Flags Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
Odd TCP Flags Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
Odd TCP Flags Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
Odd TCP Flags Scan |
Threshold |
The number of flows from a single host with odd TCP flags within a three-minute period to trigger an event |
P2P Detection |
Threshold |
Number of distinct destination IPs in a three-minute period to trigger alarm |
Packet Flood |
Packet Size Threshold |
The Maximum average packet size to be considered a flood packet |
Packet Flood |
Packet threshold |
The number of packets that should be observed within a three-minute period to trigger an event |
Persistent Flow Risk |
Active Flow Threshold (hours) |
How long should a flow be active before an alarm is triggered |
Persistent Flow Risk |
Aggregate Timeout |
Aggregate similar alarms until there are no new alarms for over N minutes (default 2 hours = 120 minutes, zero to disable aggregation) |
Persistent Flow Risk |
Inactive Flow Threshold (hours) |
How long should a flow be inactive before it no longer is considered the same flow |
Persistent Flow Risk |
PCR Threshold |
The ratio of traffic where 1 is a pure upload and -1 is a pure download. Set to 0 to disable |
Persistent Flow Risk - ASA |
Active Flow Threshold (hours) |
How long should a flow be active before an alarm is triggered |
Persistent Flow Risk - ASA |
Aggregate Timeout |
Aggregate similar alarms until there are no new alarms for over N minutes (default 2 hours = 120 minutes, zero to disable aggregation) |
Persistent Flow Risk - ASA |
Inactive Flow Threshold (hours) |
How long should a flow be inactive before it no longer is considered the same flow |
Persistent Flow Risk - ASA |
PCR Threshold |
The ratio of traffic where 1 is a pure upload and -1 is a pure download. Set to 0 to disable |
Ping Flood |
Ping Flood Threshold |
Minimum number of pings from a host to a distinct destination in a minute that should triggeer |
Ping Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
Ping Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
Ping Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
Ping Scan |
Ping Scan Host Threshold |
Minimum number of distinct hosts that a violator must ping to trigger |
Reverse SSH Shell |
Packet Size Threshold |
Maximum average packet size in the SSH session that should be considered for triggering the alert |
Reverse SSH Shell |
Reverse Shell Threshold |
The maximum number of outbound bytes on an SSH connection that should be considered for triggering the alert |
RST/ACK Detection |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
RST/ACK Detection |
Flow Threshold |
The number of flows from a single host within a three-minute period to trigger an event |
RST/ACK Detection |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
RST/ACK Detection |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
Slow Port Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
Slow Port Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
Slow Port Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
SYN Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
SYN Scan |
Half-Open packet per port |
The number of packets per dst port to be considered a half-open flood |
SYN Scan |
Half-Open port count |
The number of distinct destination ports to be considered a half-open flood |
SYN Scan |
Host Scan Hosts |
The number of distinct destination hosts to be considered a host scan |
SYN Scan |
Host Scan Ports |
The number of distinct destination ports to be considered a host scan |
SYN Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
SYN Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
SYN Scan |
Port Scan Hosts |
The number of distinct destination hosts to be considered a port scan |
SYN Scan |
Port Scan Ports |
The number of distinct destination ports to be considered a port scan |
TCP Scan |
Destination Host Threshold |
Number of distinct destination hosts to trigger alarm |
TCP Scan |
Destination Port Threshold |
Number of distinct destination ports to trigger alarm |
TCP Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
TCP Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
TCP Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
UDP Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
UDP Scan |
Host threshold |
The number of hosts scanned within a three-minute period that will trigger an event |
UDP Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
UDP Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
UDP Scan |
Port threshold |
The number of ports per host scanned within a three-minute period that will trigger an event |
XMAS Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
XMAS Scan |
Flow Threshold |
The number of flows from a single host within a three-minute period to trigger an event |
XMAS Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
XMAS Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |