Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
0
Helpful
2
Replies

New signature for flood control

Go to solution
gm-douglas
Level 1
Level 1

‎10-13-2008 06:57 AM - edited ‎03-10-2019 04:19 AM

I am in need of help in writing my own signature to control dictionary attacks on a proprietary application on one of our main frame applications.

I was looking at writing a rule using the flood net engine. Does anyone have more information on what the different variables for this engine are? If I set the rate for 3 and the peaks and gaps to 0, will this block the 4th attempt in a second?

I also need to try to lock this signature down. I could not allow it to block every 4th connection attempt from one IP address. How can you lock this signature down to a specific port and IP address? Does it need to be written into a meta engine signature?

Thanks

Gary

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mhellman
Level 7
Level 7

‎10-13-2008 02:43 PM

details matter, but that seems like a less than optimal choice for the engine. Load up the signature policy and do a select by "sig name". Enter "failure" in the sig name box and click find. You might try modeling a signature after the one of these (6256-0 for example). Is there anything in the response that you can look for?

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mhellman
Level 7
Level 7

‎10-13-2008 02:43 PM

details matter, but that seems like a less than optimal choice for the engine. Load up the signature policy and do a select by "sig name". Enter "failure" in the sig name box and click find. You might try modeling a signature after the one of these (6256-0 for example). Is there anything in the response that you can look for?

0 Helpful

Go to solution
gm-douglas
Level 1
Level 1
In response to mhellman

‎10-14-2008 10:17 AM

Thank you. You got me going in the right direction. I created the rule with the Atomic IP engine, and it is working fine.

Gary

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card