Example: counting events to reduce number of repeated queries to a server
An example of using the Count context in a Correlation Situation.
Company B has a Firewall and an IPS engine that monitor traffic to a DMZ network. The DMZ contains a server that provides information to Company B’s partners. A while ago, users started complaining that the service had slowed down.
Upon investigation, Company B’s administrators found out that the traffic had grown dramatically even though the number of users and the data available had stayed the same. They found out that one of the partners had made a misconfiguration script that frequently copied several large catalogs from Company B’s server to their own server. Furthermore, they had given the script to a few other partners as well. As a first step, the administrators decide to immediately stop excessive queries to the server.
- Create a custom Situation for detecting access to the catalog files.
- Create a custom Correlation Situation and attach the Count Context to it. Then define the settings for the Count Context to detect when there are more than 5 requests per minute to any of the files from the same source address.
Table 1. Context settings for the example Correlation Situation Field Option Correlated Situations Custom Situation Time Window 60 Alarm Threshold 5 Log Fields Enabled Select Event Binding Src Addr - Insert the Correlation Situation in the Inspection Policy with block listing as the Action. The traffic from the offending hosts is stopped at the Firewall.
- Refresh the Inspection Policy on the IPS engine.