Distributed Denial of Service (DDoS)
100 Events to the same IP or Port in 1 Minute from Different Sources. This alert should be trigged at the occurrence of 100 communication events to an IP address and the same port from different IP addresses.
Data sources needed
- In order for the alert to be set, Firewall netflow events must be collected in Cyberquest.
Go to Settings*, click on Alerts, then Realtime. 1. In the Rule 1 settings fields, netflow events will be identified. Please fill in the fields with the information as shown below: EventID, isinList, 63805 63809***
- In the Rule 2 settings fields, set Min Threshold to 100, Max Threshold to 150, TTL to 60, SrcIP ≠ Rule No. 1 SrcIP AND DestIP = Rule No. 1 DestIP
To export the alert settings, click on Alert Object above.