To stop simple DoS attacks, I would like to do a blanket block on any and all IPs which make more than 30 requests to my server in one second, for 10 minutes.
How would I go about writing a scenario for this?
You can take inspiration from the http-probing scenario. Most likely you just want to remove the evt.Meta.http_status check from the middle. Just note that depending on how your hosted applications work this could induce a lot of FP’s.
What is FP?
Also, I would like this to apply to all open ports, not just HTTP(S), so I don’t think this will really work for me.
Again, in my case, I’m trying to prevent DoS attacks that spam requests to bring the server down, not Layer 7 ones.
Sorry FP is an abbreviation for false positives. So then you would look at getting your firewall to log incoming connections then count them, but you would have to modify the parser as we only log dropped connections by default
However, this wont stop all DOS as some protocols use the same TCP / UDP connections so then layer 7 would have to be explored