https://live.paloaltonetworks.com/t5/general-topics/how-to-shun-block-an-ip-address-for-a-period-of-time/m-p/44945#M32991 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>You can change behaviour of signatures in vulnerability as shown in the picture (block for a periodic time).But for attempt count I don't think there is a way to do.Maybe you can write a custom signature.</P><P></P><P>Also check</P><P></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1367" title="https://live.paloaltonetworks.com/docs/DOC-1367">https://live.paloaltonetworks.com/docs/DOC-1367</A></P><P></P><P></P><P><IMG __jive_id="9068" alt="sc.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/9068_sc.png" /></P></BODY></HTML> Sat, 12 Oct 2013 19:43:46 GMT Retired Member 2013-10-12T19:43:46Z https://live.paloaltonetworks.com/t5/general-topics/how-to-shun-block-an-ip-address-for-a-period-of-time/m-p/44944#M32990 <HTML><HEAD></HEAD><BODY><P>I've worked with several traditional IPS in the past and there is always a way to create rules that shun or block a source IP address for some period before automatically resetting.&nbsp; It is especially useful for stopping automated bots that are just probing for flaws across the Internet.</P><P></P><P>Specifically, I'd like to create a rule that will monitor for failed login attempts to a web server located in a DMZ.&nbsp; After 5 failed attempts in 2 minutes, I want to block the source IP address for 10 minutes.</P><P></P><P>Can this be done?</P><P></P><P>Thanks in advance for any help!</P></BODY></HTML> Sat, 12 Oct 2013 14:23:05 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-shun-block-an-ip-address-for-a-period-of-time/m-p/44944#M32990 njoyzrd 2013-10-12T14:23:05Z https://live.paloaltonetworks.com/t5/general-topics/how-to-shun-block-an-ip-address-for-a-period-of-time/m-p/44945#M32991 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>You can change behaviour of signatures in vulnerability as shown in the picture (block for a periodic time).But for attempt count I don't think there is a way to do.Maybe you can write a custom signature.</P><P></P><P>Also check</P><P></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1367" title="https://live.paloaltonetworks.com/docs/DOC-1367">https://live.paloaltonetworks.com/docs/DOC-1367</A></P><P></P><P></P><P><IMG __jive_id="9068" alt="sc.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/9068_sc.png" /></P></BODY></HTML> Sat, 12 Oct 2013 19:43:46 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-shun-block-an-ip-address-for-a-period-of-time/m-p/44945#M32991 Retired Member 2013-10-12T19:43:46Z https://live.paloaltonetworks.com/t5/general-topics/how-to-shun-block-an-ip-address-for-a-period-of-time/m-p/44946#M32992 <HTML><HEAD></HEAD><BODY><P>Hi njoyrzd,</P><P></P><P>I would start with creating a schedule object under the objects tab. After this the schedule object can be used in a rule (under Options).</P><P>if it is not shown then it has to be enabled.</P><P><IMG alt="option.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/9072_option.PNG.png" /></P><P>right after this you can use the schedule object in the options field of the rule.</P><P><IMG alt="opt.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/9074_opt.PNG.png" /></P><P>Hope this helps</P><P>Regards Klaus</P></BODY></HTML> Mon, 14 Oct 2013 06:55:49 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-shun-block-an-ip-address-for-a-period-of-time/m-p/44946#M32992 kdd 2013-10-14T06:55:49Z https://live.paloaltonetworks.com/t5/general-topics/how-to-shun-block-an-ip-address-for-a-period-of-time/m-p/44947#M32993 <HTML><HEAD></HEAD><BODY><P>Some of the "brute force" signatures have a picture of a pencil next to them, which allows you to Edit Time Attributes. </P><P></P><P><IMG __jive_id="9081" alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/9081_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>If you would like to shun based on an IPS signature that doesn't have a built-in time attribute, you can create a simple custom "combination" vulnerability signature.&nbsp; Create a new custom vulnerability signature, enter some basic information on the "Configuration" tab (name, etc.), then on the signature type, choose "Combination".&nbsp; Now, select the signature you wish to add some time attributes to.&nbsp; (This example uses Threat ID 10005).</P><P></P><P><IMG __jive_id="9083" alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/9083_pastedImage_2.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>Next, go to the "Time Attribute" tab and add the # of hits within the # of seconds, and then how you wish to aggregate the data.</P><P></P><P><IMG alt="" class="jiveImage" height="402" src="https://live.paloaltonetworks.com/legacyfs/online/9085_pastedImage_0.png" style="width: 801.779px; height: 402px;" width="802" /></P><P><IMG alt="" class="jiveImage" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>Now, with your new signature, you can change the action to "block-ip" (aka shun). </P></BODY></HTML> Mon, 14 Oct 2013 15:49:57 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-shun-block-an-ip-address-for-a-period-of-time/m-p/44947#M32993 jvalentine 2013-10-14T15:49:57Z https://live.paloaltonetworks.com/t5/general-topics/how-to-shun-block-an-ip-address-for-a-period-of-time/m-p/449285#M100917 <P>I apologize for the ignorant question, but I can't seem to find reference to what Threat ID <EM>10005&nbsp;</EM>denotes. Is this failed logins?&nbsp;</P> Thu, 13 Jan 2022 17:41:42 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-shun-block-an-ip-address-for-a-period-of-time/m-p/449285#M100917 ISortOfKnowIT 2022-01-13T17:41:42Z