для Cisco Cisco FirePOWER Appliance 8360
28-13
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Preventing Rate-Based Attacks
As shown in the diagram, the first five packets matching the rule do not generate events because the rule
does not trigger until the rate exceeds the rate indicated by the
does not trigger until the rate exceeds the rate indicated by the
detection_filter
keyword. After the
rule triggers, event notification begins, but the rate-based criteria do not trigger the new action of Drop
and Generate Events until five more packets pass.
and Generate Events until five more packets pass.
After the rate-based criteria are met, events are generated and the packets are dropped until the
rate-based timeout period expires and the rate falls below the threshold. After twenty seconds elapse, the
rate-based action times out. After the timeout, note that packets are still dropped in the rate-based
sampling period that follows. Because the sampled rate is above the threshold rate in the previous
sampling period when the timeout happens, the rate-based action continues.
rate-based timeout period expires and the rate falls below the threshold. After twenty seconds elapse, the
rate-based action times out. After the timeout, note that packets are still dropped in the rate-based
sampling period that follows. Because the sampled rate is above the threshold rate in the previous
sampling period when the timeout happens, the rate-based action continues.
Note that although the example does not depict this, you can use the Drop and Generate Events rule state
in combination with the
in combination with the
detection_filter
keyword to start dropping traffic when hits for the rule reach
the specified rate. When deciding whether to configure rate-based settings for a rule, consider whether
setting the rule to Drop and Generate Events and including the
setting the rule to Drop and Generate Events and including the
detection_filter
keyword would
achieve the same result, or whether you want to manage the rate and timeout settings in the intrusion
policy. For more information, see
policy. For more information, see
Dynamic Rule States and Thresholding or Suppression
License:
Protection