Skip to content

Distributed Denial of Service (DDoS)

Alert description

100 Events to the same IP or Port in 1 Minute from Different Sources. This alert should be trigged at the occurrence of 100 communication events to an IP address and the same port from different IP addresses.

Data sources needed

  • In order for the alert to be set, Firewall netflow events must be collected in Cyberquest.

Alert setup

Go to Settings*, click on Alerts, then Realtime. 1. In the Rule 1 settings fields, netflow events will be identified. Please fill in the fields with the information as shown below: EventID, isinList, 63805 63809*** Alt Image

  1. In the Rule 2 settings fields, set Min Threshold to 100, Max Threshold to 150, TTL to 60, SrcIP ≠ Rule No. 1 SrcIP AND DestIP = Rule No. 1 DestIP Alt Image

Alert Object

To export the alert settings, click on Alert Object above.