Showing results for 
Search instead for 
Did you mean: 
Level 7

Setting Threshold in User-Defined Signature?

Is there a way to deploy a policy with a threshold parameter for a UDS?  This isn't a reconnaisance/DoS signature but a normal attack signature I created.  The nature of the signature is that sometimes it triggers on false positives, but I know that when a real attack occur I will see a higher volume of events.  For example, I would expect to see the alert trigger over 50 times in 5-minutes.  I want to configure a policy to generate an alert only when it sees 50 events in 5-mins from a single source IP.

0 Kudos
1 Reply
Level 7

Re: Setting Threshold in User-Defined Signature?


UDS editor doesn't provide the option to create reconnaissance attack.

Reconnaissance attack should have component attacks (normal signature/behavior based attack) and it correlates those component attack to see if it meets threshold or not within a given time.

But today NSP doesn't have option to create UDS reconnaissance attack.

0 Kudos