Skip to content

DDOS - 100 Events to the same IP or Port in 1 Minute from Different Sources

Alert Purpose

This alert should be trigged at the occurrence of 100 communication events to an IP address and the same port from different IP addresses.

Data Sources Needed

  • Firewall netflow events

Description

  1. Rule 1 - Identify netflow events: EventID isinList 63805 63809

  2. Rule 2 - Set “Min Threshold” 100, Max Threshold 150, TTL 60, SrcIP NOT = Rule No. 1 SrcIP AND DestIP = Rule No. 1 DestIP

Alert Object

Test Events