Denied Requests Per IP Per Severity Per Timeframe Per App. Ev. Source

Purpose

Triggers an alert when vWAF has denied more requests within a given period of time than a given limit allows. You can also specify that only denials of a certain severity are taken into account, and you can determine the range of IP addresses that vWAF looks at.

Denied Requests Per Minute Event Source is a corresponding event (all denied requests instead of requests denied from a specific IP).

For more information regarding adding and editing Event Sources, see Editing Event Sources.

Attributes

Attribute Meaning

timeframe

Period of time that vWAF looks at.

vWAF can continuously analyze the most recent 1, 5, 30, or 60 minutes.

limit

Number of denials that are needed to trigger the event.

ip4range

Determines the size of the IPv4 range that vWAF looks at.

  • /0 sets a global limit.

    This means that an alert is triggered as soon as there are more denied requests for all IP addresses combined than the given limit allows.

  • /8 to /24 specifies a range of IP addresses (See Specifying IP Addresses).
  • /32 sets a limit per IP address.

    This means that an alert is only triggered if there have been more denied requests on the same IP address than allowed by the given limit.

ip6range

Determines the size of the IPv6 range that vWAF looks at.

  • /0 sets a global limit.

    This means that an alert is triggered as soon as there are more denied requests for all IP addresses combined than the given limit allows.

  • /16, /24, /32, /48 and /56 specifies a range of IP addresses.
  • /64 sets a limit per network.
  • /128 sets a limit per IP address.

    This means that an alert is only triggered if there have been more denied requests on the same IP address than allowed by the given limit.

severity

When counting the number of denied requests, vWAF only takes into account the denials that had at least the given severity.

The default setting here is LOW, which means that all denied requests are counted.

For details on severity, see Severity of Events Triggered by Handlers.

msg prefix

Here you can enter some text, which is added to the beginning of the issued alert.

The default text is "requests per client ip per severity for this application are over the configured limit:".