I didn't get much traction with my last attempts to understand event summarization, so I'll give a real example. I've modified the ftp authorization failure sig (6250-0) as follows:
Event Count: 10
Event Count Key: Attacker and victim addresses
Specific Alert Interval: No
Summary Mode: Summarize
Summary Interval: 600
Summary Key: Attacker and victim addresses
Specify Global Summary Threshold: No
I was hoping that during a sustained ftp brute-force attempt, this would limit the number of alerts to 2 per 10 minute period (the initial alarm and the summary alarm). Alas, if fires the summary alarm exactly 15 seconds after the initial alarm. Then it fires the initial alarm, and then 15 seconds it fires another summary alarm....and so on. What are the correct settings if I want the 2 alarms every 10 minutes? Is there a _good_ technical description of these features anywhere?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...