We are getting people attempting a dictionary attack on one of our ftp servers. We have a ASA with a SSM module protecting the edge. When the attempt this attack, they trigger signature 6250 'FTP Authorization Failure' alerts.
I would like to set up a shun onto the ASA for anyone that triggers this signature more than 3 times in 5 minutes. Do I need to create a meta type signature for this or can I modify the existing signature? If I need to create a new signature for this, how would I set up the 3 times in 5 minutes part? Would this be something that would be better answered by putting in a TAC ticket?
edit the signature via ASDM and under the Event counter field is where you would want to make that change. I have mine set to 5 with blocking enabled.
Lets you configure how the sensor counts events. For example, you can specify that you want the sensor to send an alert only if the same signature fires 5 times for the same address set:
a.) Event Count-The number of times an event must occur before an alert is generated. The value is 1 to 65535. The default is 1.
b.) Event Count Key-The storage type used to count events for this signature. Choose attacker address, attacker address and victim port, attacker and victim addresses, attacker and victim addresses and ports, or victim address. The default is attacker address.
c.) Specify Alert Interval-Specifies the time in seconds before the event count is reset. Choose Yes or No from the drop-down list and then specify the amount of time.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :