I need some help on customizing sig 3171, FTP priviledged login. I would like once this sig fires a certain number of times it will block the host. I have my device setup for blocking and I thought I had this sig cloned correctly to block the host after a certain number events, but this sig is still firing from the same host well past the desired number. I don't really want to block this after the first event in case their is any legitimate traffic.
On this signature, you need to look at following fields-
Event Count Key
By configuring the following event counter fields, you specify how many instances of the signature's traffic are required to cause an alert:
Event Count - Here you can specify lets say 5.
Event Count Key - Here You can specify Attacker Address.
Alert Interval - You may leave this blank or lets say specify 20 seconds.
Event Action - Specify Produce Alert+Request Block Host
The Event Count field identifies how many instances of the signature's traffic need to occur before an alert is generated. So with above values defined, if a specific host hits the command 5 times within 20 seconds, alert will be generated and host will be blocked on the blocking device.
By specifying an Alert Interval, you indicate the time period (in seconds) over which the sensor must see the number of instances of the intrusive traffic equal to the Event Count in order to generate an alert. For instance, if the Alert Interval is set to 20 and the Event Count is 5, then the sensor must see five instances of the signature's traffic in 20 seconds before it generates an alert. At the end of the alert interval, the instance count is reset to 0.
You can also configure a signature without an Alert Interval parameter. In that situation, an alert is generated when the instances of the signature's traffic reach the Event Count, regardless of the time interval.
Please make sure that signature is configured accordingly. If it is then we need to start looking into other domains.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :