Scribd
Upload
46 views2 pages

Helo World

This document contains rules for detecting excessive firewall denies from local hosts. It defines three rules - one for denies from local to local, one from local to remote, and notes about tuning the rules. The local to local rule looks for over 1000 denies from the same source IP to over 50 destination IPs within 20 minutes, excluding known systems. The local to remote rule is similar but looks for over 100 denies within 5 minutes. Notes suggest monitoring normal deny counts and source IPs.

Uploaded by

Rajbir Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
46 views2 pages

Helo World

This document contains rules for detecting excessive firewall denies from local hosts. It defines three rules - one for denies from local to local, one from local to remote, and notes about tuning the rules. The local to local rule looks for over 1000 denies from the same source IP to over 50 destination IPs within 20 minutes, excluding known systems. The local to remote rule is similar but looks for over 100 denies within 5 minutes. Notes suggest monitoring normal deny counts and source IPs.

Uploaded by

Rajbir Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Apply SOC_Excessive Firewall Denies from Local Host on events which are detected by the Local

system

and when the event context is Local to Local, Local to Remote

and when any of these BB:CategoryDefinition: Firewall or ACL Denies with the same source IP more
than 1000 times, across more than 50 destination IP within 20 minutes

and NOT when the destination port is one of the following 7680, 9000, 5004, 33434, 123

and NOT when the event matches Rulename (custom) contains any of posture-check

and NOT when the source IP is one of the following 0.0.0.0, 10.45.0.61, 10.45.0.62, 10.45.0.63

and NOT when the event matches Direction is L2L, Source IP is 10.44.224.20, Destination Port is any
of [51114 or 137 or 445 or 135 or 139]

and NOT when the source IP is one of the following 10.44.225.8

and NOT when the event matches Direction is L2L, Source IP is 10.222.0.193, Destination Port is
33369

and NOT when the event matches Direction is L2L, Source IP is 10.244.0.118, Destination Port is
61150

Firewall Excessive deny connections from Local to Local

Apply SOC_Excessive Firewall Denies from Local Host on events which are detected by the Local
system

and when any of these BB:CategoryDefinition: Firewall or ACL Denies with the same source IP more
than 1000 times, across more than 50 destination IP within 10 minutes

and when the event context is Local to Local

and NOT when the event matches Rulename (custom) contains any of posture-check

and NOT when the destination port is one of the following 7680, 9000, 5004, 33434, 123

and NOT when the source IP is one of the following 10.44.225.8, 0.0.0.0, 10.45.0.61, 10.45.0.62,
10.45.0.63

and NOT when the event matches Direction is L2L, Source IP is any of [10.44.224.20 or 10.222.0.193
or 10.244.0.118], Destination Port is any of [51114 or 137 or 445 or 135 or 139 or 33369 or 61150]

Note: - (This rule can be further tuned by monitoring the denied events count/source IP, towards
destination IP)
Firewall Excessive deny connections from Local to Remote

Apply SOC_Excessive Firewall Denies from Local Host on events which are detected by the Local
system

and when any of these BB:CategoryDefinition: Firewall or ACL Denies with the same source IP more
than 100 times, across more than 20 destination IP within 5 minutes

and when the event context is Local to Remote

and NOT when the event matches Rulename (custom) contains any of posture-check

and NOT when the destination port is one of the following 7680, 9000, 5004, 33434, 123

and NOT when the source IP is one of the following 10.44.225.8, 0.0.0.0, 10.45.0.61, 10.45.0.62,
10.45.0.63

Note: Please check above listed ports and source IP’s these should be monitored for outbound
connections and set threshold as per the deny event count per 10 minutes

(we need to check deny event count on normal basis and also need to check the source ip which is
generating these deny events )

You might also like