Sorry. I didn't tell it all. I would like to know if someone is trying to SSH, FTP or whatever the situation may be. If we determine that the login threshold is 5, we can set it and be alerted if someone is attempting to login.
You can craft a custom sweep signature with a dest port of . Basically you want to look for a single host attempting more than one connection attempt to more than one target IP in a very short duration (say 3-5 seconds) then choose the action (alert, drop, shun, etc). Hope that helps sir!
IHMO, you can't do this very effectively with a layer 4 signature for many protocols. Either because I can attempt to login many times during a single TCP session, or because multiple TCP sessions are not necessarily good indicators of login attempts. It is very unlikely any signature like this would include "logins" because it's triggering on layer 4 information.
It will not include logins, no, as it is using the 'sweep' engine. Basically you are looking for more than one target connection attempt within a given window. You can easily do this today for SSH. When you craft your signature configure a threshold of say 5 unique targets in 10-30 seconds from a single source. You storage key and summary key should be Axxx, define your target port as 22, you tcp-flag will obviously be SYN. Hope this helps!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :