2.46. THRESHOLD
2.46. THRESHOLD
These log messages refer to the THRESHOLD (Threshold rule events) category.
2.46.1. conn_threshold_exceeded (ID: 05300100)
Default Severity
Log Message
Explanation
Gateway Action
Recommended Action
Revision
Parameters
Context Parameters
2.46.2. reminder_conn_threshold (ID: 05300101)
Default Severity
Log Message
Explanation
Gateway Action
Recommended Action
Revision
Parameters
Context Parameters
2.46.3. conn_threshold_exceeded (ID: 05300102)
Default Severity
Log Message
Explanation
Gateway Action
WARNING
Connection threshold <description> exceeded <threshold>. Source IP:
<srcip>. Closing connection
The source ip is opening up new connections too fast.
closing_connection
Investigate worms and DoS attacks.
1
description
threshold
srcip
Rule Name
INFORMATIONAL
Reminder: Connection threshold <description> exceeded <threshold>.
Source IP: <srcip>.
The source ip is still opening up new connections too fast.
None
Look through logs to see if the source ip has misbehaved in the past.
1
description
threshold
srcip
Rule Name
NOTICE
Connection threshold <description> exceeded <threshold>. Source IP:
<srcip>
The source ip is opening up new connections too fast.
None
488
Chapter 2. Log Message Reference