In this example, every two seconds, the CLEAR-Flow agent will request the tcpSynCounter and tcpCounter values from the hardware.
After it receives the two counter values, it will first calculate the delta for each of the counters and then check each counter‘s delta value for its minimum value, which is 100. If both of the counters‘ delta values are greater than 100, it then calculates the ratio of the delta of two counters. If the ratio is greater than 10, then the agent will log a warning message and deny all SYN traffic on the interface. No period value for the syslog message is given, so the message will be logged once when the expression first becomes true. When the expression transitions from true to false, a different message will be logged and the SYN traffic on the interface will be permitted again. The delta-ratio value has to fall below a threshold of 8 for the expression to be evaluated to be false.
entry acl_syn { if { protocol tcp_flags SYN; } then { count tcpSynCounter; } } entry acl_tcp { if { protocol tcp; } then { count tcpCounter; } } entry cflow_delta_ratio_rule_example { if { delta-ratio tcpSynCounter tcpCounter > 10 ; period 2; min-value 100; threshold 8; } then { syslog "Syn attack on port $port is detected" WARN; deny acl_syn; } else { syslog "Syn attack on port $port is no longer detected" WARN; permit acl_syn; } }