Possible attack - many requests blocked

In case the EVENT_WR-Y-attack-600 warning (Possible attack - {NUM} blocked requests within {NUM} seconds) appears frequently, this can have the following causes:

  • Possible attack against applications. Check if the requests are coming from the same IP address.
  • Missing exception configuration for parameters.

This event is generated when 5 or more requests are blocked within 2 minutes due to filter rules.

The frequency and number of the log messages required for the event to be generated can be customized. See Customizing events for more information.

Research and countermeasures

Research the cause(s) before taking any countermeasures.

  • Analyze what causes the blocked requests:
  • Are the blocked requests in fact attacks or inadvertently blocked legitimate requests?

An example of an inadvertently blocked request may be a webmail application with SQL statements in the subject or body of the message. Those parameters should be defined as exceptions.