config ips custom edit "FTP.Brute.Force.Login.CUSTOM" set signature "F-SBID( --name \"FTP.Brute.Force.Login.CUSTOM\"; --attack_id 1619; --service FTP; --flow from_server,reversed; --pattern \"530 User \"; --context header; --within 10000,context; --track dst_ip; --rate 10,60; --description \"Failed login to FTP server 10 times in 60 seconds\";)" next edit "HTTP.Brute.Force.Authentication.CUSTOM" set signature "F-SBID( --name \"HTTP.Brute.Force.Authentication.CUSTOM\"; --attack_id 2404; --protocol tcp; --service HTTP; --flow from_server,reversed; --seq 1,relative; --pattern \"401 Unauthorized\"; --context header; --no_case; --rate 10,60; --track dst_ip; --tag test,HTTP.Authorization; --description \"Authentication to web server 10 times in 60 seconds\";) " next edit "IMAP.Brute.Force.Login.CUSTOM" set signature "F-SBID( --attack_id 5001; --name \"IMAP.Brute.Force.Login.CUSTOM\"; --protocol tcp; --service IMAP; --flow from_server,reversed; --pattern \"Logon failure\"; --distance 10,packet; --within 50,packet; --context header; --no_case; --track dst_ip; --rate 10,60; --description \"Failed Login to IMAP server 10 times in 60 seconds\"; ) " next edit "SMTP.Brute.Force.Login.CUSTOM" set signature "F-SBID( --attack_id 2412; --name \"SMTP.Brute.Force.Login.CUSTOM\"; --protocol tcp; --service SMTP; --flow from_server,reversed; --pattern \"535 \"; --context header; --within 4,packet; --track dst_ip; --rate 10,60; --description \"Failed login to SMTP server 10 times in 60 seconds\"; )" next edit "POP3.Brute.Force.Login.CUSTOM" set signature "F-SBID( --attack_id 3191; --name \"POP3.Brute.Force.Login.CUSTOM\"; --protocol tcp; --src_port 110; --flow from_server,reversed; --seq <,200,relative; --pattern \"|2D|ERR Logon failure\"; --no_case; --within 20,packet; --track dst_ip; --rate 10,60; --description \"Failed login to POP3 server 10 times in 60 seconds\";)" next end config ips sensor edit "IPS_WINDOWS_+" config filter edit "WINDOWS_SYSTEMS_LOW-MED" set severity low medium set os Windows next edit "WINDOWS_SYSTEMS_HIG" set severity high set os Windows set status enable next edit "WINDOWS_SYSTEMS_CRIT" set severity critical set os Windows set status enable next end config override edit 107347981 set log disable set status disable next edit 13128 set action block set log-packet enable next edit 109248517 set log disable set status disable next edit 109314052 set log disable set status disable next edit 109314053 set log disable set status disable next edit 109248518 set log-packet enable next edit 109379589 set log-packet enable next edit 109445125 set log-packet enable next edit 3191 set action reset set log-packet enable set quarantine attacker set quarantine-expiry 360 set quarantine-log enable next edit 1619 set action reset set log-packet enable set quarantine attacker set quarantine-expiry 360 set quarantine-log enable next edit 5001 set action reset set log-packet enable set quarantine attacker set quarantine-expiry 360 set quarantine-log enable next edit 2412 set action reset set log-packet enable set quarantine attacker set quarantine-expiry 360 set quarantine-log enable next edit 2404 set action reset set log-packet enable set quarantine attacker set quarantine-expiry 360 set quarantine-log enable next end next end