Greetings:
>From time to time I get bombarded with several hundred " FTP brute
force (multiple failed logins)" rule 11510 and " Multiple connection
attempts from same source" 11511 alerts.
I've been trying to rewrite the rule so I don't get notifications of
the same attacker several hundred times.
This is what I have tried last:
<rule id="11510" level="13" frequency="10" timeframe="360"
ignore="900" overwrite="yes">
<if_matched_sid>11502</if_matched_sid>
<description>FTP brute force (multiple failed logins).</
description>
<group>authentication_failures,</group>
</rule>
<rule id="11511" level="10" frequency="10" timeframe="30"
ignore="900" overwrite="yes">
<if_matched_sid>11501</if_matched_sid>
<same_source_ip />
<description>Multiple connection attempts from same source.</
description>
<group>recon,</group>
</rule>
Yet, when I got up this morning, close to 400 alerts (combined for the
above two rules) all from 61.136.188.83 trying to brute force FTP on
the same physical server.
If I understand the ignore correctly, the 900 would be 900 seconds or
15 minutes; and yet most of the alerts were within one to five minutes
apart.
What do I need to change so that within a 15-minute period, I do not
receive the alert more than once for the same attacking IP address?
Thank you.
