Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Alert after 20 attempts

Is there some way to create a signature that would produce an alert (eventually changing this to a deny connection) after any IP address hits the server 20 times in 60 seconds? I have tried using automatic IP which did not work and the Flood service engine does not allow a specific IP address to be specified. We are only concerned with one specific server, other servers in our network may be hit more then this.


Re: Alert after 20 attempts


This solution is probably not ideal, but if you can create the appropriate flood signature that you mentioned you could setup an Event Action Filter to remove all actions from the signature when the IP address is anything but the one you want to alert on.

Maybe someone else has a better way?

Hope that helps.


New Member

Re: Alert after 20 attempts

take stroll through the IPS signatures on your device especially the ones that set to deny/block hosts and just clone one and modify it to your liking.

CreatePlease to create content