Greetings: >From time to time I get bombarded with several hundred " FTP brute force (multiple failed logins)" rule 11510 and " Multiple connection attempts from same source" 11511 alerts.
I've been trying to rewrite the rule so I don't get notifications of the same attacker several hundred times. This is what I have tried last: <rule id="11510" level="13" frequency="10" timeframe="360" ignore="900" overwrite="yes"> <if_matched_sid>11502</if_matched_sid> <description>FTP brute force (multiple failed logins).</ description> <group>authentication_failures,</group> </rule> <rule id="11511" level="10" frequency="10" timeframe="30" ignore="900" overwrite="yes"> <if_matched_sid>11501</if_matched_sid> <same_source_ip /> <description>Multiple connection attempts from same source.</ description> <group>recon,</group> </rule> Yet, when I got up this morning, close to 400 alerts (combined for the above two rules) all from 61.136.188.83 trying to brute force FTP on the same physical server. If I understand the ignore correctly, the 900 would be 900 seconds or 15 minutes; and yet most of the alerts were within one to five minutes apart. What do I need to change so that within a 15-minute period, I do not receive the alert more than once for the same attacking IP address? Thank you.