Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
2
Replies

Alert after 20 attempts

hclauss
Level 1
Level 1

‎06-30-2009 11:00 AM - edited ‎03-10-2019 04:41 AM

Is there some way to create a signature that would produce an alert (eventually changing this to a deny connection) after any IP address hits the server 20 times in 60 seconds? I have tried using automatic IP which did not work and the Flood service engine does not allow a specific IP address to be specified. We are only concerned with one specific server, other servers in our network may be hit more then this.

Labels:
0 Helpful
2 Replies 2

robertson.michael
Level 3
Level 3

‎06-30-2009 12:07 PM

Harry,

This solution is probably not ideal, but if you can create the appropriate flood signature that you mentioned you could setup an Event Action Filter to remove all actions from the signature when the IP address is anything but the one you want to alert on.

Maybe someone else has a better way?

Hope that helps.

-Mike

0 Helpful

michael.d.brown
Level 1
Level 1

‎06-30-2009 11:01 PM

take stroll through the IPS signatures on your device especially the ones that set to deny/block hosts and just clone one and modify it to your liking.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card