Suricata baseline deviation from expected IP requests
Set up the suricata integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect an unusually high number of unique IP addresses connecting to a server, which could indicate a Distributed Denial-of-Service (DDoS) attack, a scanning attempt, or other forms of malicious activities.
Strategy
Monitor Suricata logs where a server is receiving connections from an unusually high number of unique IP addresses within a short period. This detection rule aims to identify potential threats early, allowing for timely investigation and mitigation to protect server resources and maintain service availability.
Triage and response
- Assess the reputation of the source IP addresses for known threats.
- Check if there are common characteristics among the source IPs (e.g., geographical clustering, similar ISP).
- If malicious, reduce the impact by rate limiting, blocking, or filtering suspicious IPs.
- Inform IT security teams and management about the incident and actions taken.