Hello everyone,
I recently create a custom snort rule on my Firepower 8130 sensor, this is a really simple rule for detect excessive connections in x seconds from the same source IP address, I applied the rule into the intrusion policy and then deploy the changes made.
The rule is made like the following:
Action: Alert
Protocol: tcp
Source IPs: any
Source Port: any
Dest IPs: 200.x.x.x
Dest Port: any
Detection options
detection_filter: track by_src, count 500, seconds 60.
metadata: policy max-detect-ips drop
what we want to achieve with this rule is to have better visibility in firepower about those who are generating excessive traffic to this server.
I'm not very acquainted with snort language and writing snort rules but as I know this rule can allow us to see when the same IP address generate at least 500 connections to this web server and generate an "Intrusion event", everything goes good but when i see an intrusion event of this custom rule and check the connections I don't see the 500 entries for the source IP.
This makes me doubt how the rule makes the detection of connections, most connections to this server are to http / https ports.
My question is, does this small rule allow us to do what we need? or we should make some change in it.
Best regards.