2.51. THRESHOLD

Home Prev	cOS Stream 4.00.03 Log Reference Guide	Next

Log Categories: THRESHOLD,FLOW
Log Message: Threshold notice.
Default Log Severity: Dynamic
Parameters: thresholdset, matchkey, rule
Explanation: A flow setup attempt triggered the given thresholdset in threshold rule rule: The flow setup was allowed to continue.
Gateway Action: Allow
Action Description: None
Proposed Action: None

Log Categories: THRESHOLD,FLOW,BLACKLIST
Log Message: Threshold blacklist.
Default Log Severity: Dynamic
Parameters: thresholdset, matchkey, rule
Explanation: A flow setup attempt triggered the given thresholdset in threshold rule rule: The attempt has been blocked and the source is now blacklisted.
Gateway Action: Drop
Action Description: None
Proposed Action: Contact the owner of the blacklisted source.

Log Categories: THRESHOLD,FLOW
Log Message: Threshold block flow.
Default Log Severity: Dynamic
Parameters: thresholdset, matchkey, rule
Explanation: A flow setup attempt triggered the given thresholdset in threshold rule rule: This particular attempt was blocked.
Gateway Action: Drop
Action Description: None
Proposed Action: None

Log Categories: THRESHOLD,FLOW
Log Message: Threshold reject flow.
Default Log Severity: Dynamic
Parameters: thresholdset, matchkey, rule
Explanation: A flow setup attempt triggered the given thresholdset in threshold rule rule: This particular attempt was rejected.
Gateway Action: Reject
Action Description: Reject is a polite way of denying access to a protected service, by sending an error message back to the source
Proposed Action: Carefully consider the security implications created by using the reject action.

Log Categories: THRESHOLD,FLOW
Log Message: Threshold tag flow.
Default Log Severity: Dynamic
Parameters: thresholdset, matchkey, rule
Explanation: A flow setup attempt triggered the given thresholdset in threshold rule rule: The flow setup was allowed to continue, but the flow has been tagged for later analysis. The tag will not affect the functionality of the forwarded traffic in any way, but some functionality can apply the tag as a filter (notably CLI commands and log messages).
Gateway Action: Allow
Action Description: None
Proposed Action: Review the tagged flows.

Log Categories: THRESHOLD
Log Message: Threshold definition is no longer exceeded.
Default Log Severity: Information
Parameters: definition, group, threshold, interval, value, time, lifetime
Explanation: The specific threshold group group no longer exceeds the corresponding threshold definition (with the configured threshold over the configured interval seconds): The group measurement is currently value over a period of time seconds. Before this event happened, the group did exceed the threshold for lifetime seconds.
Gateway Action: None
Action Description: None
Proposed Action: None

Log Categories: THRESHOLD
Log Message: Threshold definition is exceeded.
Default Log Severity: Dynamic
Parameters: definition, group, threshold, interval, value, time, lifetime
Explanation: The specific threshold group group now exceeds the corresponding threshold definition (with the configured threshold over the configured interval seconds): The group measurement is currently value over a period of time seconds. Before this event happened, the group did spend lifetime seconds without being exceeded.
Gateway Action: None
Action Description: None
Proposed Action: None

Log Categories: THRESHOLD
Log Message: Random group replacement.
Default Log Severity: Warning
Parameters: group
Explanation: There was a shortage of free threshold group instances and therefore, one randomly selected active threshold group instance was removed. This only happens when there are excessive flow open requests coming from many different sources (assuming the grouping is per source). Threshold rules that contain rate-based thresholds with a long configured interval are prone to this during distributed denial-of-service attacks since old group instances cannot be sensibly discarded until activity has ceased for a whole configured interval. The impact of losing an active group instance is that the system will forget information that could have been used to identify traffic that should have trigged a threshold action. This can potentially be used as an attempt to mask another more "stealthy" attack.
Gateway Action: None
Action Description: None
Proposed Action: Review the threshold rules; length of intervals, grouping parameters and actions. Consider to use grouping by network segments rather than individual IP addresses, as this will decrease the maximum possible number of groups that an attack can cause to be setup. As a last resort, the setting TrafficMgmtSettings:MaxThresholdMemUsage can be adjusted to support more simultaneous threshold groups.