10-13-2008 06:57 AM - edited 03-10-2019 04:19 AM
I am in need of help in writing my own signature to control dictionary attacks on a proprietary application on one of our main frame applications.
I was looking at writing a rule using the flood net engine. Does anyone have more information on what the different variables for this engine are? If I set the rate for 3 and the peaks and gaps to 0, will this block the 4th attempt in a second?
I also need to try to lock this signature down. I could not allow it to block every 4th connection attempt from one IP address. How can you lock this signature down to a specific port and IP address? Does it need to be written into a meta engine signature?
Thanks
Gary
Solved! Go to Solution.
10-13-2008 02:43 PM
details matter, but that seems like a less than optimal choice for the engine. Load up the signature policy and do a select by "sig name". Enter "failure" in the sig name box and click find. You might try modeling a signature after the one of these (6256-0 for example). Is there anything in the response that you can look for?
10-13-2008 02:43 PM
details matter, but that seems like a less than optimal choice for the engine. Load up the signature policy and do a select by "sig name". Enter "failure" in the sig name box and click find. You might try modeling a signature after the one of these (6256-0 for example). Is there anything in the response that you can look for?
10-14-2008 10:17 AM
Thank you. You got me going in the right direction. I created the rule with the Atomic IP engine, and it is working fine.
Gary
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: