3 Replies Latest reply on Aug 26, 2016 11:52 AM by andy777

    DoS Content Pack

    dzh01

      Has anyone had any success in setting up the DoS Content Pack? I've had several events where a single IP which usually receives around 20-50 flows per minute received over 50k per minute during 10 minutes. I felt this should have triggered the correlation rule "DoS - Possible DDoS Against Single Host - TCP - Flow" since the rule states "It detects a possible DDoS attack by looking for a five standard deviation increase in the number of unique hosts sending TCP packets to a single destination.  It also checks to see if there are at least 1000 distinct source IP addresses."  What could I be doing wrong? The IP Address have been set in the appropriate variables and if I check in flow views I'm able to see the actual flows. I'm using historical correlation in order to tune the rule.

       

      Thanks!