Hello!
Can someone tell me what the signature of a rule should look like that should detect if someone has accessed for example port 80 of 10 separate servers in just 2 seconds or something similar.
I tried with a rule like this detection_filter:track by_src, count 10, seconds 2; but apparently with something like that I could block the external bruteforce but not what I want.
Thanks!
To be more precise, take a look here here especially at hashlimit-mode and hashlimit-dstmask