Depends heavily on what type of profile you have configured and what profile they actually hit; Classified will be able to provide you a source-ip because there is a sole address to give you, while Aggregate won't give you a source-ip because it accounts for anything connecting to that protected resource.
I supposed this. Maybe I can see specific IP attacker and victim because before I activeted a classified rule (now is aggregate).
See the IPs is very useful because I can check in other websites if it is a bad or good IP.
Maybe I can use an aggregate rule as a test and than activete again a classified rule.
Remember that you can assign both an aggregate profile and a classified profile in the same DoS entry. If you are just working on building these out now, it might be best to follow this method:
You can play around with the alarm rate and watch the logs to see when you actually start getting alerts and start to narrow down what your Activate and Max rates should be under normal traffic loads. The only thing that you won't be able to really analyze like this is the max concurrent session limit, but that should be easily generated from your logs and your session table over a period of time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!