11-19-2012 11:54 PM
Hello,
Is there a way to block a specific IP address if you detect multiple threats coming from this IP? For example block an IP address after the detection of 5 threats coming from this IP within 1 minute.
I know you can block an IP but only as an action after the detection of a specific threat.
Kind regards
11-20-2012 07:34 AM
Yes, you can block a source IP or combo source/dest pair for a time period using custom signatures. Here's an example to block the source IP for threat 10353. Make sure to select 'Combination' for signature type.
Thanks.
11-20-2012 07:34 AM
Yes, you can block a source IP or combo source/dest pair for a time period using custom signatures. Here's an example to block the source IP for threat 10353. Make sure to select 'Combination' for signature type.
Thanks.
11-28-2012 05:55 AM
Hello,
Thanks for the reply. What about if I don't know the ThreatIDs? Lets suppose that the attacker runs a vulnerability scanner. Is it possible for the 'Condition' option to configure something like 'any threatID'?
Kind regards
11-30-2012 11:11 AM
The custom signature method requires a selection of threatIDs. For scanner detection, we can use DoS Protection to detect port scan, sweep, etc and block the source IP. Thanks.
11-21-2013 08:00 AM
I agree with the original poster and the feature he is requesting. I'd like to be able to block the IP outright if it hits a certain threshold of threats without pre-determining which threats the attacker will hit (no way to know).
is this feature coming? when?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
