02-14-2018 02:15 PM
I wonder if there is dynamic blocking IP if on short period of time that IP did ip scan or try the same vulnerability attack on our IP range, becuse the attack was once on each policy rule it doesn't reach the vulnerability protection limit for blocking the IP.
So if the monitor logs show the same IP on diffrerent policy rules in short period it will do IP block for 30/60 min.
maybe I miss something or it is something they can think about on new versions.
Thank you
SShnap
02-15-2018 08:04 AM
Understood, in which case Zone Protection and/or DoS Protection would be the appropriate features to leverage.
02-14-2018 02:27 PM
Some Threat IDs such as Brute Force related signatures do block based on time attributes. Multiple examples are listed in the following article.
Also, the Reconnaisance Protection section of a Zone Protection profile can enforce blocking based on scan activity as can DoS Protection as well. More info can be found here.
02-14-2018 03:08 PM
Depending on how the scan was performed, it could have also triggered Host Sweep, TCP Port Scan or UDP Port Scan Reconnaissance protections in Zone Protection. Check the Threat Logs for any entries related to type (if i remember correctly) 'scan'.
If the activity triggered a Network Flood protection you would find Threat Log entries with log type 'flood'.
02-14-2018 03:09 PM
thank you for the reply
I'm femilier with "Brute Force Signature" but it only block IP when they hit the same policy rule or same destination according to out you configure (10 times for 60 sec).
It's not working when attacker is doing the same attack on IP range so he hits one or twice on each IP and the rule isn't sense that traffic to alert or block.
02-15-2018 08:04 AM
Understood, in which case Zone Protection and/or DoS Protection would be the appropriate features to leverage.
02-15-2018 08:53 AM
OK I will try to enable the zone protection on the DMZ and track the logs.
I enable flood protection SYN, ICMP, UDP, Other IP, increase the activate threshold so I can get alerting without activating the drop action.
Under Reconnaissance protection I enable all three and set the action to alert.
I also enable the packet based attack protection as best practice followed:
hope to see result after tuning.
Thank you all
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
