Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

SecureKnowledge Weekly - SecureXL Penalty Box

This widget could not be displayed.
4 Comments
Schafi
Contributor
Contributor

Hello, I have a question about dos_suspected

What “too many reports” means exactly and can this threshold be edited somewhere?

A host is recorded in the 'dos_suspected' table when it is reported by the firewall rulebase or IPS code. The entry is inserted for a short period of time (1 second).
If too many reports are received for that host during this time, it will be placed in the penalty box table 'dos_penalty_box'.

Best Regards

Jean-François

_Val_
Admin
Admin

Hi Jean-Francois, your question is answered in the SK: 

sim erdos -t <seconds>Sets the duration for a host to stay in Penalty box (default=180)
sim erdos -d <packets_per_sec>

Sets the rate of allowed violations (packets/sec) for Penalty box per IP address (default=500)

Note: Only available in R75.40VS, R76 and newer versions.

Schafi
Contributor
Contributor

Hello Valeri

Thanks for your reply. As I understand there are two different ways, why an ip address will be blocked with penalty box.

Fist is packet per second dropped and the second mechanism are IPS events. PPS for IPS events do not seem to make sense to me.

My question is under which circumstances an ip address will be suspected in case of an IPS event. How many IPS events are needed and are there differences in relation to the severity of an IPS event?

I know other vendors, who you can choose how many IPS events (attacks) are tolerated in a period of time before the source ip address will be quarantined. As example, if an IP try to use a vulnerability once, all other tries and connections from this IP will be blocked for x minutes.

Many thanks for your help
Jean-François

_Val_
Admin
Admin

>>How many IPS events are needed - the answer is in the article:

sim erdos -d <packets_per_sec>

Sets the rate of allowed violations (packets/sec) for Penalty box per IP address (default=500)

Note: Only available in R75.40VS, R76 and newer versions.

500 packets per second will trigger the penalty. You can also manage this parameter yourself.

>>are there differences in relation to the severity of an IPS event?

No relations