limiting by sessions

Unanswered Question
Jan 3rd, 2008
User Badges:

Hi guys,


Is there a way that I can make a custom signature to detect if any given host has reached a predefined limit of sessions to specific host. I know this can be done with ASA, but can it be done with IPS functionality?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Wed, 01/09/2008 - 14:43
User Badges:
  • Blue, 1500 points or more

Yes, you can do this. I assume you're talking about TCP sessions, right? Take a look at 3041-1, TCP SYN/FIN Packet. Copy it. Change the TCP flags to SYN. Change the TCP mask to SYN|FIN|ACK|RST|PSH|URG. Change the destination port range to the desired values. Change the event count and interval to the number of sessions that must be reached over the time interval before the alarm will fire.

Actions

This Discussion