Hello, I configured Alarm to monitor possible DDos Attacks. For example, when traffic increased on device 200% in short time interval .
In this example I'm using netflow on router.
Is it corect?
This will yield a lot of false positives.
I would consider doing as a correlation rule if have an ACE and use deviation factor.
As Paul_k mentions, this will raise a lot of false alarms, and you should look at correlations.
Perhaps you can define specific src and destinations, ports, or other measures.
you might be able to get help from your network team, looking at some availability stats and such
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
2821 Mission College Blvd.
Santa Clara, CA 95054 USA
Consumer Support | Enterprise Support | McAfee.com
Legal | Privacy | Copyright © 2019 McAfee, LLC