Event Per IP Per Path Prefilter Handler

Purpose

This special handler triggers the Requests Per IP Per Path Per Timeframe Per Application Event Source if within a given period of time there have been more requests from a given IP address range than allowed. As this handler is used on path level, only requests relating to this path are counted.

You need to link an event destination group to the Requests Per IP Per Path Per Timeframe Per Application Event Source in order to actually trigger an alert.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: medium. (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

Only add this handler if you want to use the Requests Per IP Per Path Per Timeframe Per Application Event Source.

Attributes

Attribute Meaning

timeframe

Period of time that vWAF looks at. vWAF can continuously analyze the most recent 1, 5, 30 or 60 minutes.

limit

Number of requests on the path and ip4 range plus ip6 range within the given timeframe that are needed to trigger the event.

ip4 range

Determines the size of the IPv4 address range that vWAF looks at.

  • /0 sets a global limit

    this means that an alert is triggered as soon as there are more requests from all IP addresses combined than the given limit allows

  • /8 to /24 specifies a range of IP addresses (see Specifying IP Addresses)
  • /32 sets a limit per IP address

    this means that an alert is only triggered if there have been more requests from the same IP address than allowed by the given limit

ip6 range

Determines the size of the IPv6 address range that vWAF looks at.

  • /0 sets a global limit

    this means that an alert is triggered as soon as there are more requests from all IP addresses combined than the given limit allows

  • /16 to /64 specifies a range of IP addresses
  • /128 sets a limit per IP address

    this means that an alert is only triggered if there have been more requests from the same IP address than allowed by the given limit

usertext

currently not used

enable logging

currently not used

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.