I've worked with several traditional IPS in the past and there is always a way to create rules that shun or block a source IP address for some period before automatically resetting. It is especially useful for stopping automated bots that are just probing for flaws across the Internet.
Specifically, I'd like to create a rule that will monitor for failed login attempts to a web server located in a DMZ. After 5 failed attempts in 2 minutes, I want to block the source IP address for 10 minutes.
Can this be done?
Thanks in advance for any help!
You can change behaviour of signatures in vulnerability as shown in the picture (block for a periodic time).But for attempt count I don't think there is a way to do.Maybe you can write a custom signature.
I would start with creating a schedule object under the objects tab. After this the schedule object can be used in a rule (under Options).
if it is not shown then it has to be enabled.
right after this you can use the schedule object in the options field of the rule.
Hope this helps
Some of the "brute force" signatures have a picture of a pencil next to them, which allows you to Edit Time Attributes.
If you would like to shun based on an IPS signature that doesn't have a built-in time attribute, you can create a simple custom "combination" vulnerability signature. Create a new custom vulnerability signature, enter some basic information on the "Configuration" tab (name, etc.), then on the signature type, choose "Combination". Now, select the signature you wish to add some time attributes to. (This example uses Threat ID 10005).
Next, go to the "Time Attribute" tab and add the # of hits within the # of seconds, and then how you wish to aggregate the data.
Now, with your new signature, you can change the action to "block-ip" (aka shun).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!