Cisco Cisco Firepower Management Center 4000
28-16
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Preventing Rate-Based Attacks
Note that although it is not shown in this example, if a new action triggers because of rate-based criteria
after a threshold has been reached, the system generates a single event to indicate the change in action.
So, for example, if the limit threshold of 10 has been reached and the system stops generating events and
the action changes to Drop and Generate events on the 14th packet, the system generates an eleventh
event to indicate the change in action.
after a threshold has been reached, the system generates a single event to indicate the change in action.
So, for example, if the limit threshold of 10 has been reached and the system stops generating events and
the action changes to Drop and Generate events on the 14th packet, the system generates an eleventh
event to indicate the change in action.
Rate-Based Detection with Multiple Filtering Methods
License:
Protection
You may encounter situations where the
detection_filter
keyword, thresholding or suppression, and
rate-based criteria all apply to the same traffic. When you enable suppression for a rule, events are
suppressed for the specified IP addresses even if a rate-based change occurs.
suppressed for the specified IP addresses even if a rate-based change occurs.
The following example shows an attacker attempting a brute force login, and describes a case where a
detection_filter
keyword, rate-based filtering, and thresholding interact. Repeated attempts to find a
password trigger a rule which includes the
detection_filter
keyword, with a count set to 5. This rule
also has rate-based attack prevention settings that change the rule attribute to Drop and Generate Events
for 30 seconds when there are five rule hits in 15 seconds. In addition, a limit threshold limits the rule
to 10 events in 30 seconds.
for 30 seconds when there are five rule hits in 15 seconds. In addition, a limit threshold limits the rule
to 10 events in 30 seconds.
As shown in the diagram, the first five packets matching the rule do not cause event notification because
the rule does not trigger until the rate indicated in the
the rule does not trigger until the rate indicated in the
detection_filter
keyword is exceeded. After the
rule triggers, event notification begins, but the rate-based criteria do not trigger the new action of Drop
and Generate Events until five more packets pass. After the rate-based criteria are met, the system
generates events for packets 11-15 and drops the packets. After the fifteenth packet, the limit threshold
has been reached, so for the remaining packets the system does not generate events but does drop the
packets.
and Generate Events until five more packets pass. After the rate-based criteria are met, the system
generates events for packets 11-15 and drops the packets. After the fifteenth packet, the limit threshold
has been reached, so for the remaining packets the system does not generate events but does drop the
packets.
After the rate-based timeout, note that packets are still dropped in the rate-based sampling period that
follows. Because the sampled rate is above the threshold rate in the previous sampling period, the new
action continues.
follows. Because the sampled rate is above the threshold rate in the previous sampling period, the new
action continues.