Symantec 10521146 Administration Guide - Page 167
Other Saturation Alert Threshold, Miscellaneous parameters, Event Delay Time
UPC - 037648268134
View all Symantec 10521146 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 167 highlights
Detecting 167 Configuring sensor detection Service traffic in 20% of the total network traffic. This avoids false positives on relatively quiet links. Adjust this parameter as necessary until it just barely alerts, such as once a day under normal conditions for your environment. You can increase the Threshold if you want to tolerate a high percentage of Bad Service traffic in your environment. Other Saturation Alert Threshold Other Saturation Alert Threshold regulates the level at which the sensor notifies you that it detects "Other" traffic, such as any IP traffic that is not TCP, UDP, ICMP, OSPF, IPSEC, or GRE traffic, or any non-IP traffic. The default is set to 0.09, and valid values range from 0 to 1, representing the percentage of total traffic. By default, the sensor notifies you if it detects "Other" traffic in 9% of the total network traffic. This avoids false positives on relatively quiet links. Adjust this parameter as necessary until it just barely alerts, such as once a day under normal conditions for your environment. A high rate of alerting can slow performance, so you can increase the Threshold if you want to tolerate a high percentage of "Other" traffic in your environment. Miscellaneous parameters The following parameters regulate the suppression of duplicate events and enabling asymmetric routing. Event Delay Time Event Delay Time regulates alert suppression by setting the number of seconds that the sensor waits between sending multiple alerts of the same type. The default is 2 seconds, which is the minimum. Under most circumstances, this provides optimum sensitivity and performance and does not need to be changed. However, if the sensor generates the same event types too frequently, you can either suppress or filter the event type. If you filter the event type, that type of event will not show at all. On the other hand, if you increase the Event Delay Time, you can reduce the number of events of this type without eliminating them altogether. Event suppression affects performance slightly, since the product performs faster if it sends fewer events. However, you risk missing important data by increasing this value.