Monitor the frequency and rate of specific network activity
with combination signatures.
Combination signatures detect and prevent brute force
attacks. A combination signature assigns a time attribute to an
existing threat signature—the child signature—to form a distinct
parent signature. The time attribute specifies the number of pattern
matches or “hits” to the child signature and the time frame (in
seconds) the hits must occur within for the parent signature to
trigger. If a pattern matches the child signature alone, the default
action for that signature occurs.
You can narrow the trigger conditions by including aggregation
criteria, which define what the parent signature counts as a hit.
You can select from “source,” “destination,” and “source-and destination.”
If you wanted to count the number of hits to a particular destination
IP address, you would set the aggregation criteria to “destination.”
To count all hits from a particular source, select “source.” “Source-and-destination”
instantiates multiple time-windows that count the n-number of instances
when a single source goes to a specific destination.