Is there a way to deploy a policy with a threshold parameter for a UDS? This isn't a reconnaisance/DoS signature but a normal attack signature I created. The nature of the signature is that sometimes it triggers on false positives, but I know that when a real attack occur I will see a higher volume of events. For example, I would expect to see the alert trigger over 50 times in 5-minutes. I want to configure a policy to generate an alert only when it sees 50 events in 5-mins from a single source IP.
UDS editor doesn't provide the option to create reconnaissance attack.
Reconnaissance attack should have component attacks (normal signature/behavior based attack) and it correlates those component attack to see if it meets threshold or not within a given time.
But today NSP doesn't have option to create UDS reconnaissance attack.