1.  Firewall Accept/Deny Ratio and

2.  Logins Successful/Failed Ratio

Firewall Accept/Deny Ratio:

A firewall ratio could be used to detect a designated ratio of:

   Accept/Total

   Deny/Total

   Accept/(Accept+Denied)

   Denied/(Accept+Denied)

   Denied Success/(Success+Failure)

Example:

You wish to alert when your Deny messages goes above 50% of your total “accept and deny” messages. This will indicate that your firewalls are dropping the majority of connection events and could be the outbreak of malicious activity.

Logins Successful/Failed Ratio:

A login ratio could be used to detect a designated ratio of:

   Login Success/Total

   Login Failure/Total

   Login Sucess/(Success+Failure)

   Login Failure /Success

   Login Success/(Success+Failure)

Example:

Use an alert based on a high ratio of login failures over total number of attempts. Use a ratio-based alert that will trigger when Login Failure over Total is smaller than 1% and more than 50% on all authentication servers.