Video Screencast Help

SID: 99992 TCP SYN FLOOD Notification

Created: 13 Dec 2013 | 9 comments

We're getting this notification on a Mac Mini that we're using as a server.  We've setup the Intrusion Prevention policy to allow this traffic on this server, but to log the traffic.  We are still getting a notification on the server of this SID.  Any ideas what is triggering this?  This Mac is running RU4.

Operating Systems:

Comments 9 CommentsJump to latest comment

.Brian's picture

Is there a remote IP in the log that this is coming from or is local to the client?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

branttaylor's picture

Hi Pete, I work with Matt, and that's what we did. The SID is already added as an exception, but we still get this notification.

.Brian's picture

But you have logging enabled, correct?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

branttaylor's picture

Correct, and it gets added to the log correctly. Is this pop-up considered to be a form of logging?

.Brian's picture

I don't have a Mac to test on but would appear to be the case. With IPS being new for Macs in 12.1.4 I wouldn't be surprised. Support could confirm.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

branttaylor's picture

Looks like you are correct. With logging turned off, we have not had this pop-up occur at all. Frustrating, because I would like for this event to be written to the log without bugging the user. In this case, it's just a server, but I could conceivably see wanting to log certain IPS exceptions on an end-user's machine, but I can't do that with how it currently behaves. Thanks Brian!

.Brian's picture

That is unfortuntate. It should have the ability to write to the log (silent for user) but allow the traffic.

Since IPS for Mac is new, this could be an enhancement request.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

branttaylor's picture

forgot to click reply when typing this response. comment removed.