Drop brute force attacks with IDP example



  • I couldn’t find a clear example of what I wanted to do (basically, if some host tries to connect to some service more than x times a minute, drop new connections from that host)

    Here it is:

    set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match from-zone any
    set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match source-address any
    set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match to-zone any
    set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match destination-address any
    set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match application default
    set security idp idp-policy simple-idp-policy rulebase-ips rule 1 match attacks predefined-attack-groups Critical
    set security idp idp-policy simple-idp-policy rulebase-ips rule 1 then action drop-connection
    set security idp idp-policy simple-idp-policy rulebase-ips rule 1 then notification log-attacks alert
    set security idp idp-policy simple-idp-policy rulebase-ips rule 1 then severity critical
    set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match from-zone any
    set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match source-address any
    set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match to-zone any
    set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match destination-address any
    set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match application default
    set security idp idp-policy simple-idp-policy rulebase-ips rule 2 match attacks custom-attacks MY:RDP:CON:RATE-LIMIT
    set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then action close-client-and-server
    set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then ip-action ip-close
    set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then ip-action target source-address
    set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then ip-action timeout 30
    set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then notification log-attacks alert
    set security idp idp-policy simple-idp-policy rulebase-ips rule 2 then severity major
    set security idp active-policy simple-idp-policy
    set security idp custom-attack MY:RDP:CON:RATE-LIMIT severity major
    set security idp custom-attack MY:RDP:CON:RATE-LIMIT time-binding count 3
    set security idp custom-attack MY:RDP:CON:RATE-LIMIT time-binding scope source
    set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature context first-data-packet
    set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature pattern .*
    set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature direction client-to-server
    set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature protocol tcp destination-port match equal
    set security idp custom-attack MY:RDP:CON:RATE-LIMIT attack-type signature protocol tcp destination-port value 3389
    set security idp traceoptions file size 10m
    set security idp traceoptions flag all
    set security idp traceoptions level all
    set security idp sensor-configuration log suppression disable


 

48
Online

38.4k
Users

12.7k
Topics

44.5k
Posts