1 of 1 people found this helpful
- It downloads and stores the IP database locally
- It updates every 24 hours
- It uses EmergingThreats.net for the threat database, specifically https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
I have observed that if the traffic is ICMP from bad IP, it identifies "isThreat" as True but if the same IP gets access to device, I mean login or make any policy changes, or even reboot system, it shows "isThreat" as False. Why is it so as IP is still bad
Also would like to know about what all attacks it can detect with default rules...