talking about normal noise peaks:
https://imgur.com/LrqmH2C
this is the daily attack-level on one of our wafs,
and the normal noise ranges from 500 events/day to 1500 events/day
2014-12-12 8:47 GMT+01:00 mex <lazy....@gmail.com>:
> hi david,
>
>
> 2014-12-12 8:24 GMT+01:00 <david...@gmail.com>:
>> I want to detect obvious changes to general request velocity for a given
>> URI, for example if global login attempts are normally made 15 times per
>> minute and that jumps to 100 times per minute I want to get notified. Is
>> there a way to implement this within Openresty
>
> it could be done by using lua + redis + some scripting.
>
>> without adding latency to
>> requests? What is the best way to implement this?
>>
>
> it depends on what you want to do/know. from my experience in
> comparing actual vs avg - events you'll need some learning -phase
> to see what is normal, what is normal "noise" - peaks.
> and then you'd want to de-couple the generation of your avg-values
> and process the actual request-level by running a small script from cron.
> so your nginx does just the logging (not much latency)
> and your script does the processing and analytics and alarming.
>
>
>
> cheers,
>
> mex