Customizing a Sig 3171

Unanswered Question
Mar 30th, 2007

I need some help on customizing sig 3171, FTP priviledged login. I would like once this sig fires a certain number of times it will block the host. I have my device setup for blocking and I thought I had this sig cloned correctly to block the host after a certain number events, but this sig is still firing from the same host well past the desired number. I don't really want to block this after the first event in case their is any legitimate traffic.

Any advice or direction is appreciated.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vitripat Fri, 03/30/2007 - 11:19

On this signature, you need to look at following fields-

Event Count

Event Count Key

Alert Interval

Event Action

By configuring the following event counter fields, you specify how many instances of the signature's traffic are required to cause an alert:

Event Count - Here you can specify lets say 5.

Event Count Key - Here You can specify Attacker Address.

Alert Interval - You may leave this blank or lets say specify 20 seconds.

Event Action - Specify Produce Alert+Request Block Host

The Event Count field identifies how many instances of the signature's traffic need to occur before an alert is generated. So with above values defined, if a specific host hits the command 5 times within 20 seconds, alert will be generated and host will be blocked on the blocking device.

By specifying an Alert Interval, you indicate the time period (in seconds) over which the sensor must see the number of instances of the intrusive traffic equal to the Event Count in order to generate an alert. For instance, if the Alert Interval is set to 20 and the Event Count is 5, then the sensor must see five instances of the signature's traffic in 20 seconds before it generates an alert. At the end of the alert interval, the instance count is reset to 0.

You can also configure a signature without an Alert Interval parameter. In that situation, an alert is generated when the instances of the signature's traffic reach the Event Count, regardless of the time interval.

Please make sure that signature is configured accordingly. If it is then we need to start looking into other domains.




This Discussion