Open AlyaGomaa opened 2 months ago
So the problem is that slips dies if many many flows are sent by the host. Specially malware scanning or ddos.
The solution is to ignore the traffic from that host in this TW if two condition match
There is an alert to stop this IP in this TW
there is more than X amount of flows, or some other measure of too much traffic.
If both match then we 'somehow' tell slips or zeek to ignore those flows until next TW.
The important thing is that those flows MUST not enter slips. Must not be read, processed, in any way.
we need to find a way to not give this to slips in the first place, maybe tell zeek not to give us anything from this IP
Created by Alya Gomaa via monday.com integration. 🎉