Alert after 20 attempts

Unanswered Question
Jun 30th, 2009
User Badges:

Is there some way to create a signature that would produce an alert (eventually changing this to a deny connection) after any IP address hits the server 20 times in 60 seconds? I have tried using automatic IP which did not work and the Flood service engine does not allow a specific IP address to be specified. We are only concerned with one specific server, other servers in our network may be hit more then this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
robertson.michael Tue, 06/30/2009 - 12:07
User Badges:
  • Silver, 250 points or more

Harry,


This solution is probably not ideal, but if you can create the appropriate flood signature that you mentioned you could setup an Event Action Filter to remove all actions from the signature when the IP address is anything but the one you want to alert on.


Maybe someone else has a better way?


Hope that helps.


-Mike

michael.d.brown... Tue, 06/30/2009 - 23:01
User Badges:

take stroll through the IPS signatures on your device especially the ones that set to deny/block hosts and just clone one and modify it to your liking.

Actions

This Discussion