Do I have to drop or put to blacklist all requests by "source" IP addresses when they make 5 attacks requests in 5 minutes?
For example:
I have 5 attacks with status (Http protocol compliance field and Access from malicious IP address) from one and the same IP address and i want to drop each next request for the next 2 hours or move it to blacklist IP address.
You can do it via "Session Awareness" feature ("Security ›› Application Security : Session Tracking" page) - you just need to set your criteria and set "Block All" period... or you can put them into blacklist IP addresses, if you want.
