Suricata baseline deviation from expected IP requests

This rule is part of a beta feature. To learn more, contact Support.
suricata

Classification:

anomaly

Set up the suricata integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect an unusually high number of unique IP addresses connecting to a server, which could indicate a Distributed Denial-of-Service (DDoS) attack, a scanning attempt, or other forms of malicious activities.

Strategy

Monitor Suricata logs where a server is receiving connections from an unusually high number of unique IP addresses within a short period. This detection rule aims to identify potential threats early, allowing for timely investigation and mitigation to protect server resources and maintain service availability.

Triage and response

  1. Assess the reputation of the source IP addresses for known threats.
  2. Check if there are common characteristics among the source IPs (e.g., geographical clustering, similar ISP).
  3. If malicious, reduce the impact by rate limiting, blocking, or filtering suspicious IPs.
  4. Inform IT security teams and management about the incident and actions taken.