Specify the scope within which the count of an attack occurs:
Source—Specify this option to detect attacks from
the source address for the specified number of times, regardless of
the destination address. This means that for a given attack, a threshold
value is maintained for each attack from the source address. The destination
address is ignored. For example, anomalies are detected from two different
pairs (ip-a, ip-b) and (ip-a, ip-c) that have the same source address ip-a but different destination
addresses ip-b and ip-c. Then the number of matches
for ip-a increments to 2. Suppose the threshold
value or count is also set to 2, then the signature
triggers the attack event.
Destination—Specify this option to detect attacks
sent to the destination address for the specified number of times,
regardless of the source address. This means that for a given attack,
a threshold value is maintained for each attack from the destination
address. The source address is ignored. For example, if anomalies
are detected from two different pairs (ip-a, ip-b) and (ip-c, ip-b) that have the same destination
address ip-b but different source addresses ip-a and ip-c. Then the number of matches for ip-b increments
to 2. Suppose the threshold value or count is also set to 2, then the signature triggers the attack
event.
Peer—Specify this option to detect attacks between
source and destination IP addresses of the sessions for the specified
number of times. This means that the threshold value is applicable
for a pair of source and destination addresses. Suppose anomalies
are detected from two different source and destination pairs (ip-a, ip-b) and (ip-a, ip-c). Then
the number of matches for each pair is set to 1, even though
both pairs have a common source address.
