https://live.paloaltonetworks.com/t5/general-topics/block-ftp-brute-force-attemps-threat-id-40001/m-p/20626#M15058 <HTML><HEAD></HEAD><BODY><P>What is the actual signature that is being enabled behind that exception rule? Is it a custom sig or the Palo Alto Networks ftp brute force sig?</P></BODY></HTML> Thu, 05 Jul 2012 19:05:34 GMT fredallee 2012-07-05T19:05:34Z https://live.paloaltonetworks.com/t5/general-topics/block-ftp-brute-force-attemps-threat-id-40001/m-p/20624#M15056 <HTML><HEAD></HEAD><BODY><P><BR />Hello,</P><P></P><P>I want to block Block FTP Brute Force Attemps.</P><P>The default rule in the PA alert only in theThreat log.</P><P></P><P>I added a new Vulnerabolity Protection Rule:</P><P>Action: Block</P><P>Host type: Any (also tried Server)</P><P>Category: brute-force</P><P>Severity: Any</P><P>CVE: Any</P><P>Vendor ID: Any</P><P></P><P>I placed the rule above al the default rules (see attachment).</P><P></P><P>If I simulate a ftp brute force attack I only see a alert message in the Threat log.</P><P></P><P>thanks in advance for your reply,</P><P></P><P>Hans</P></BODY></HTML> Thu, 05 Jul 2012 16:49:25 GMT https://live.paloaltonetworks.com/t5/general-topics/block-ftp-brute-force-attemps-threat-id-40001/m-p/20624#M15056 hnederstigt 2012-07-05T16:49:25Z https://live.paloaltonetworks.com/t5/general-topics/block-ftp-brute-force-attemps-threat-id-40001/m-p/20625#M15057 <HTML><HEAD></HEAD><BODY><P>Try changing the action to 'block-ip'.&nbsp; Block will only block the packet/session related to the violation, which doesn't work very well for attacks based on cumulative attempts.</P><P></P><P><IMG alt="dektop.png" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/3198_dektop.png" width="450" /> </P></BODY></HTML> Thu, 05 Jul 2012 18:55:32 GMT https://live.paloaltonetworks.com/t5/general-topics/block-ftp-brute-force-attemps-threat-id-40001/m-p/20625#M15057 drogers 2012-07-05T18:55:32Z https://live.paloaltonetworks.com/t5/general-topics/block-ftp-brute-force-attemps-threat-id-40001/m-p/20626#M15058 <HTML><HEAD></HEAD><BODY><P>What is the actual signature that is being enabled behind that exception rule? Is it a custom sig or the Palo Alto Networks ftp brute force sig?</P></BODY></HTML> Thu, 05 Jul 2012 19:05:34 GMT https://live.paloaltonetworks.com/t5/general-topics/block-ftp-brute-force-attemps-threat-id-40001/m-p/20626#M15058 fredallee 2012-07-05T19:05:34Z