How to shun/block an IP address for a period of time

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to shun/block an IP address for a period of time

L1 Bithead

I've worked with several traditional IPS in the past and there is always a way to create rules that shun or block a source IP address for some period before automatically resetting.  It is especially useful for stopping automated bots that are just probing for flaws across the Internet.

Specifically, I'd like to create a rule that will monitor for failed login attempts to a web server located in a DMZ.  After 5 failed attempts in 2 minutes, I want to block the source IP address for 10 minutes.

Can this be done?

Thanks in advance for any help!

4 REPLIES 4

L6 Presenter

Hi,

You can change behaviour of signatures in vulnerability as shown in the picture (block for a periodic time).But for attempt count I don't think there is a way to do.Maybe you can write a custom signature.

Also check

https://live.paloaltonetworks.com/docs/DOC-1367

sc.png

L4 Transporter

Hi njoyrzd,

I would start with creating a schedule object under the objects tab. After this the schedule object can be used in a rule (under Options).

if it is not shown then it has to be enabled.

option.PNG.png

right after this you can use the schedule object in the options field of the rule.

opt.PNG.png

Hope this helps

Regards Klaus

L7 Applicator

Some of the "brute force" signatures have a picture of a pencil next to them, which allows you to Edit Time Attributes.

If you would like to shun based on an IPS signature that doesn't have a built-in time attribute, you can create a simple custom "combination" vulnerability signature.  Create a new custom vulnerability signature, enter some basic information on the "Configuration" tab (name, etc.), then on the signature type, choose "Combination".  Now, select the signature you wish to add some time attributes to.  (This example uses Threat ID 10005).

Next, go to the "Time Attribute" tab and add the # of hits within the # of seconds, and then how you wish to aggregate the data.

Now, with your new signature, you can change the action to "block-ip" (aka shun).

I apologize for the ignorant question, but I can't seem to find reference to what Threat ID 10005 denotes. Is this failed logins? 

  • 7318 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!