Topic
  • 1 reply
  • Latest Post - ‏2013-08-07T14:32:15Z by dwight s (IBM)
GregMathes
GregMathes
4 Posts

Pinned topic Determine Hits Per Min Per Source IP on Firewall

‏2013-08-06T19:53:06Z |

I am looking for a good way to determine the hits per minute per source IP on my firewall. We have a couple rules looking for spikes in traffic on our sites that could be possible dos events. I am looking for a good way to determine the proper threshold of what is the normal amount of hits per source IP per minute incoming into our network.

Any help on a good way to configure this kind of search would be greatly appreciated.

  • dwight s (IBM)
    dwight s (IBM)
    7 Posts

    Re: Determine Hits Per Min Per Source IP on Firewall

    ‏2013-08-07T14:32:15Z  

    Hi Greg ... here's a search i would suggest under log activity

    time window:
    - suggest 5 minutes of data at busier point of the day

    filters:
    - limit to log source, firewall
    - direction: R2L (remote to local / inbound)

    column definition:
    - group by: source ip

    order by:
    - event count (sum)

    This however won't give you  a per minute count, but , it will tell you which of the remote, inbound source ip's are generating the most sessions.  You could further filter on or group by the event category, to see which types of events are getting in.  Note, this is likely to give you a fairly large result set, especially if you create a search that's grouped on "source ip + event category".   I would run this for a few 5 minute windows in the day, but i would limit the largest time window to an hour at the most, until you see how many results you are going to get. 

    dwight