This Rule generates alerts when The number of denied TCP and non TCP packets per second exceeded the system limit
TMG Server reduced the number of records of denied packets that are written in the log because the number of denied TCP and non-TCP packets per second exceeded the system limit.
One or many zombie hosts may be attempting an attack against a victim server, but TMG Server blocks the attack traffic.
Query the TMG Server logs to identify the zombie hosts, and then remove the malicious code from them.
See the product documentation for more information about TMG Server flood resiliency.
Target | Microsoft.Forefront.TMG.Server |
Category | EventCollection |
Enabled | True |
Alert Generate | False |
Remotable | True |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Forefront.TMG.Rule.AlertGenerate.DS | Default |
WA | WriteAction | Microsoft.Forefront.TMG.Rule.AlertGenerate.WA | Default |
<Rule ID="Microsoft.Forefront.TMG.The_number_of_denied_TCP_and_non_TCP_packets_per_second_exceeded_the_system_limit.Rule" Enabled="true" Target="Microsoft.Forefront.TMG.Server" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Microsoft.Forefront.TMG.Rule.AlertGenerate.DS">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<EventsPattern>^(21282)$</EventsPattern>
<EventType>1</EventType>
<SourcePattern>[Microsoft Forefront TMG Firewall]|[Microsoft Forefront TMG Control]</SourcePattern>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WA" TypeID="Microsoft.Forefront.TMG.Rule.AlertGenerate.WA">
<AlertMessageId>$MPElement[Name="Microsoft.Forefront.TMG.The_number_of_denied_TCP_and_non_TCP_packets_per_second_exceeded_the_system_limit.AlertMessage"]$</AlertMessageId>
<DomainName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/DomainDnsName$</DomainName>
<Priority>1</Priority>
<Severity>2</Severity>
</WriteAction>
</WriteActions>
</Rule>