Overview
Frabs collects server-side signals such as SSH failures, successful logins, connection data, port probing, firewall changes, and repeat offender history. Those events are grouped into incidents and processed by the Frabs scoring engine.
Severity Model
Frabs uses a universal severity model: Low, Medium, High, and Critical. Scores from 0 to 100 are normalized into those four levels and are reused consistently in UI, alerts, actions, and reports.
Baseline Learning
Frabs learns a per-server baseline over time. Hard thresholds still detect attacks on day one, but mature servers gain additional intelligence from baseline deviation, stability, and history. This helps reduce false positives.
Auto Response
Threat actions depend on the threat type, the final severity, confidence, and your settings. Frabs supports temporary blocks, extended blocks, rate limiting, and protection-mode workflows with exact firewall rule tracking and reversible mitigations.