(in reflected attacks a lotof external benign src’s send a lotof packets toward our servers, because our server’s IP spoofed before in request packets and were sent by attacker toward trusted servers and those trusted servers replied us instead of attacker ! ) index=firewall dest=(your company IP range, for example: 184.192.0.0/16) (transport=”udp” AND src_port IN(123,1900,0,53,5353,27015,19,20800,161,389,111,137,27005,520,6881,751,11211,1434,27960,17) AND […]
IPS Traffic Increase
You can use this for any type of baselining alerts around a predefined standard deviation. I used the IDS data model but the same logic can be applied to any random index. |`tstats` count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.ids_type=”network” by IDS_Attacks.dest,_time span=10m | stats count by IDS_Attacks.dest,_time| eval threshold=relative_time(now(),”-10m”) | stats max(eval(if(_time>=threshold, count null()))) as latest […]
