Suricata baseline deviation from expected IP requests

This rule is part of a beta feature. To learn more, contact Support.
suricata

Classification:

anomaly

Set up the suricata integration.

Goal

Detect an unusually high number of unique IP addresses connecting to a server, which could indicate a Distributed Denial-of-Service (DDoS) attack, a scanning attempt, or other forms of malicious activities.

Strategy

Monitor Suricata logs where a server is receiving connections from an unusually high number of unique IP addresses within a short period. This detection rule aims to identify potential threats early, allowing for timely investigation and mitigation to protect server resources and maintain service availability.

Triage and response

  1. Assess the reputation of the source IP addresses for known threats.
  2. Check if there are common characteristics among the source IPs (e.g., geographical clustering, similar ISP).
  3. If malicious, reduce the impact by rate limiting, blocking, or filtering suspicious IPs.
  4. Inform IT security teams and management about the incident and actions taken.