I have a router using CBAC with error messages such as this:
Feb 16 01:05:11.676 CET: %FW-4-ALERT_ON: getting aggressive, count (15/500) current 1-min rate: 501
Feb 16 01:05:14.017 CET: %FW-4-ALERT_OFF: calming down, count (10/400) current 1-min rate: 369
My understanding from docs online and also Richard Deal's book is that there were more than 500 connections started in the last minute which resulting in the first message, this then dropped below the low threshold of 400 resulting in the second message.
But I can find no mention anywhere on what the 'count (15/500)' and 'count (10/400)' numbers mean on each line. Is this how many sessions were blocked by CBAC in the last minute?
Can anyone enlighten me on this please?
Yes you are right it has increased by 15 in the last minute and crossed the threshold of 500 and given you that log.
Do rate if I have helped out.