https://community.cisco.com/t5/network-security/alert-after-20-attempts/m-p/1260053#M76822 <P>Is there some way to create a signature that would produce an alert (eventually changing this to a deny connection) after any IP address hits the server 20 times in 60 seconds? I have tried using automatic IP which did not work and the Flood service engine does not allow a specific IP address to be specified. We are only concerned with one specific server, other servers in our network may be hit more then this.</P> Sun, 10 Mar 2019 11:41:00 GMT hclauss 2019-03-10T11:41:00Z https://community.cisco.com/t5/network-security/alert-after-20-attempts/m-p/1260053#M76822 <P>Is there some way to create a signature that would produce an alert (eventually changing this to a deny connection) after any IP address hits the server 20 times in 60 seconds? I have tried using automatic IP which did not work and the Flood service engine does not allow a specific IP address to be specified. We are only concerned with one specific server, other servers in our network may be hit more then this.</P> Sun, 10 Mar 2019 11:41:00 GMT https://community.cisco.com/t5/network-security/alert-after-20-attempts/m-p/1260053#M76822 hclauss 2019-03-10T11:41:00Z https://community.cisco.com/t5/network-security/alert-after-20-attempts/m-p/1260054#M76823 <HTML><HEAD></HEAD><BODY><P>Harry,</P><P></P><P>This solution is probably not ideal, but if you can create the appropriate flood signature that you mentioned you could setup an Event Action Filter to remove all actions from the signature when the IP address is anything but the one you want to alert on.</P><P></P><P>Maybe someone else has a better way?</P><P></P><P>Hope that helps.</P><P></P><P>-Mike</P></BODY></HTML> Tue, 30 Jun 2009 19:07:06 GMT https://community.cisco.com/t5/network-security/alert-after-20-attempts/m-p/1260054#M76823 robertson.michael 2009-06-30T19:07:06Z https://community.cisco.com/t5/network-security/alert-after-20-attempts/m-p/1260055#M76824 <HTML><HEAD></HEAD><BODY><P>take stroll through the IPS signatures on your device especially the ones that set to deny/block hosts and just clone one and modify it to your liking.</P></BODY></HTML> Wed, 01 Jul 2009 06:01:06 GMT https://community.cisco.com/t5/network-security/alert-after-20-attempts/m-p/1260055#M76824 michael.d.brown 2009-07-01T06:01:06Z