Rate-Based Detection with Multiple Filtering Methods Example
The following example shows an attacker attempting a brute force
login, and describes a case where a
detection_filter
keyword, rate-based filtering, and thresholding interact. Repeated attempts to
find a password trigger a rule which includes the
detection_filter
keyword, with a count set to 5. This rule also has rate-based attack prevention
settings that change the rule attribute to Drop and Generate Events for 30
seconds when there are five rule hits in 15 seconds. In addition, a limit
threshold limits the rule to 10 events in 30 seconds.
As shown in the diagram, the first five packets matching the
rule do not cause event notification because the rule does not trigger until
the rate indicated in the
detection_filter
keyword is exceeded. After the rule triggers, event notification begins, but
the rate-based criteria do not trigger the new action of Drop and Generate
Events until five more packets pass. After the rate-based criteria are met, the
system generates events for packets 11-15 and drops the packets. After the
fifteenth packet, the limit threshold has been reached, so for the remaining
packets the system does not generate events but does drop the packets.
After the rate-based timeout, note that packets are still dropped in the rate-based sampling period that follows. Because the sampled rate is above the threshold rate in the previous sampling period, the new action continues.
