1 Reply Latest reply on Jul 7, 2011 2:52 AM by sjang

    Setting Threshold in User-Defined Signature?

      Is there a way to deploy a policy with a threshold parameter for a UDS?  This isn't a reconnaisance/DoS signature but a normal attack signature I created.  The nature of the signature is that sometimes it triggers on false positives, but I know that when a real attack occur I will see a higher volume of events.  For example, I would expect to see the alert trigger over 50 times in 5-minutes.  I want to configure a policy to generate an alert only when it sees 50 events in 5-mins from a single source IP.

        • 1. Re: Setting Threshold in User-Defined Signature?



          UDS editor doesn't provide the option to create reconnaissance attack.

          Reconnaissance attack should have component attacks (normal signature/behavior based attack) and it correlates those component attack to see if it meets threshold or not within a given time.

          But today NSP doesn't have option to create UDS reconnaissance attack.