A suspicious user have been access to login a web page in order to login brute force attack. So Security engineer trying to block by using a sort of Network appliance. For this reason he/she needs a number of limit access time.
Basically, we should gather various logs and it should be able to search. The effectiveness is the next step. On based these systems, we have to extract a number from the log, not estimation so as to get the limit number.
In my case, I used the Splunk for it as below.
earliest=”4/2/2014:13:50:00″ latest=”4/2/2014:14:00:00″
source=IIS cs_method=POST
(cs_uri_stem=”/Authentication.asmx*” OR cs_uri_stem=”/Registration.asmx*”)
| where NOT cidrmatch(“10.10.0.0/16″,c_ip)
| timechart span=5s limit=5 count by c_ip usenull=f useother=f
Eventually, I can define the limit number is 20 per 5 seconds as above graph.
Practical Security 