topic Re: FTP Brute Force Attempt vulnerability protection in General Topics

FTP Brute Force Attempt vulnerability protection

dbaumann — Wed, 30 Jun 2010 15:12:47 GMT

I enabled "FTP Brute Force Attempt" (ID 40001) vulnerability protection, but my FTP server logs are still filling up with unsuccessful brute force login attempts. I've tried "drop", "drop-all-packets", and "reset-both" but it doesn't seem to make any difference.

For example, last night's ftp server log shows 810 unsuccessful login attempts within a time period of 10 minutes, but the PA only shows 7 brute force attempts (action = reset-both) in that same time frame. Shouldn't it block the vast majority of brute force logon attempts?

Re: FTP Brute Force Attempt vulnerability protection

mharding — Thu, 01 Jul 2010 13:32:54 GMT

Here is how the PAN OS classifies a brute force attempt:

If a session has same source and same destination but trigger our child signature, 40000, 10 times in 60 seconds, we call it is a brute force attack.

https://live.paloaltonetworks.com/docs/DOC-1367

Re: FTP Brute Force Attempt vulnerability protection

dbaumann — Thu, 01 Jul 2010 14:34:51 GMT

Within in the first 60 seconds the ftp log shows 38 unsuccessful login attempts from the same source. The entire brute force attack lasted 10 minutes, with 810 unsuccessful login attempts showing up in the ftp log.

According to the PAN OS classification shouldn't there be no more than 10 unsuccessful login attempts considering the conditions for a brute force attack were met?

Thanks,

Re: FTP Brute Force Attempt vulnerability protection

fredallee — Thu, 01 Jul 2010 14:59:19 GMT

Sounds like a bug. Have you opened a support case for this?