Is there a way that I can make a custom signature to detect if any given host has reached a predefined limit of sessions to specific host. I know this can be done with ASA, but can it be done with IPS functionality?
Yes, you can do this. I assume you're talking about TCP sessions, right? Take a look at 3041-1, TCP SYN/FIN Packet. Copy it. Change the TCP flags to SYN. Change the TCP mask to SYN|FIN|ACK|RST|PSH|URG. Change the destination port range to the desired values. Change the event count and interval to the number of sessions that must be reached over the time interval before the alarm will fire.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...