This rule is intended for organizations that are concerned with monitoring heavy inbound network traffic.
Description
This alert rule is triggered whenever an excessive denied inbound connections across a firewall is noticed. This rule finds host machines of potential intruders and also detects if a particular user is trying, and subsequently failing, to access a resource inside a firewall.
Log Source
Alert Logic
Monitor Firewall/IDS/IPS event that happens to deny a connection.
Create a list of FirewallDevices so that update in list will ensure that this rule will work with any new firewall device that may be added in future. Also, create a baseline of average denied connection to your infrastructure. If connection attempt seems to increase by let's say 20% trigger this alert.
What should you monitor in case this alert triggers?
Description
This alert rule is triggered whenever an excessive denied inbound connections across a firewall is noticed. This rule finds host machines of potential intruders and also detects if a particular user is trying, and subsequently failing, to access a resource inside a firewall.
Log Source
- All Firewalls
- IDS/IPS
Alert Logic
Monitor Firewall/IDS/IPS event that happens to deny a connection.
Create a list of FirewallDevices so that update in list will ensure that this rule will work with any new firewall device that may be added in future. Also, create a baseline of average denied connection to your infrastructure. If connection attempt seems to increase by let's say 20% trigger this alert.
What should you monitor in case this alert triggers?
- Check the source IP address. Validate if this traffic is expected one or needs further investigation.
- Analyze the source IP addresses and destination ports. Multiple source IP addresses
with similar destination ports could indicate malicious activity.
No comments:
Post a Comment