Thresholds specify how many network accesses are considered
normal within a defined period of time. A security alert is generated
when a threshold is exceeded. For example, users occasionally mis-type
their login password. Such an occurrence would not normally be a
security concern. However, a large number of password authentication
failures within a short time might indicate an attempted security
breach. These optional rule specifications, spelling out how
many accesses are allowed within a specified time, permit the
Eagle to respond to repeated accesses with appropriate alerts.
See Chapter
to learn how to set up special notices for
unusual activity.
The syntax for specifying threshold values for the rules is:
< accesses / period, ... >
Note that this field is enclosed in angle brackets. This syntax calls for a list of entries, separated by commas or blanks, which describe how many accesses to permit in a time period before triggering an Alert. The time period is a numeric value which may be followed by a qualifier (minutes, hours or days). If no qualifier is specified, the default value is minutes. There can be any number of time-window values within the threshold field. The default thresholds are:
< 3/5 mins, 5/15 mins, 10/hour, 25/day, 100/7 days >
These defaults allow 3 accesses in a 5 minute interval; 5 in 15 minutes; 10 in an hour; 25 in a day, and 100 in a week.
A shorthand notation allows you to omit the time period specification if only the counts are to be changed from the default. To change the number of accesses allowed in the 1 hour period to 15, without changing the other default subfields, one would enter:
< , , 15, , >
Notice that not only could the hour qualifier be omitted (it is the default for that subfield), but blank fields, separated by commas, specify that the entries for those subfields stay the same. Thus, the above rule is the same as the following explicit rule:
< 3/5 mins, 5/15 mins, 15/hour, 25/day, 100/7 days >
Any number of threshold entries are allowed if a finer grain of monitoring is desired.
Two special threshold specifications are used to turn off monitoring
or to generate alerts for all accesses. The specification
denotes that no threshold is specified and turns off Dynamic Activity
Monitoring for that particular rule. The specification
(zero) specifies that every access is to cause an alert.