New signature for flood control

Answered Question
Oct 13th, 2008
User Badges:

I am in need of help in writing my own signature to control dictionary attacks on a proprietary application on one of our main frame applications.


I was looking at writing a rule using the flood net engine. Does anyone have more information on what the different variables for this engine are? If I set the rate for 3 and the peaks and gaps to 0, will this block the 4th attempt in a second?


I also need to try to lock this signature down. I could not allow it to block every 4th connection attempt from one IP address. How can you lock this signature down to a specific port and IP address? Does it need to be written into a meta engine signature?


Thanks

Gary

Correct Answer by mhellman about 8 years 7 months ago

details matter, but that seems like a less than optimal choice for the engine. Load up the signature policy and do a select by "sig name". Enter "failure" in the sig name box and click find. You might try modeling a signature after the one of these (6256-0 for example). Is there anything in the response that you can look for?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
mhellman Mon, 10/13/2008 - 14:43
User Badges:
  • Blue, 1500 points or more

details matter, but that seems like a less than optimal choice for the engine. Load up the signature policy and do a select by "sig name". Enter "failure" in the sig name box and click find. You might try modeling a signature after the one of these (6256-0 for example). Is there anything in the response that you can look for?

gm-douglas Tue, 10/14/2008 - 10:17
User Badges:

Thank you. You got me going in the right direction. I created the rule with the Atomic IP engine, and it is working fine.


Gary

Actions

This Discussion