https://live.paloaltonetworks.com/t5/general-topics/http-brute-force-attempt/m-p/35778#M26288 <HTML><HEAD></HEAD><BODY><P>This is a bit older, but it may help.</P><P></P><P>"If a session has the same source and destination and triggers a single </P><P>login/authentication event 100 times in 60 seconds, we will identify </P><P>it as a brute force attack."</P></BODY></HTML> Fri, 25 Mar 2011 18:39:42 GMT mharding 2011-03-25T18:39:42Z https://live.paloaltonetworks.com/t5/general-topics/http-brute-force-attempt/m-p/35777#M26287 <HTML><HEAD></HEAD><BODY><P> I was contacted by a major government entity about an HTTP Brute Force attack/attempt coming from my institution.&nbsp; Their IDS triggered on a researcher in my organization attempting to login to one of their training websites.&nbsp; The user forgot their password.&nbsp; I only found out due to this user being only one in the PAN going to this website, however, what I'm wondering is why the PAN wouldn't have labeled it first?&nbsp; Has anyone come across something like this before?</P></BODY></HTML> Fri, 25 Mar 2011 13:43:02 GMT https://live.paloaltonetworks.com/t5/general-topics/http-brute-force-attempt/m-p/35777#M26287 migration 2011-03-25T13:43:02Z https://live.paloaltonetworks.com/t5/general-topics/http-brute-force-attempt/m-p/35778#M26288 <HTML><HEAD></HEAD><BODY><P>This is a bit older, but it may help.</P><P></P><P>"If a session has the same source and destination and triggers a single </P><P>login/authentication event 100 times in 60 seconds, we will identify </P><P>it as a brute force attack."</P></BODY></HTML> Fri, 25 Mar 2011 18:39:42 GMT https://live.paloaltonetworks.com/t5/general-topics/http-brute-force-attempt/m-p/35778#M26288 mharding 2011-03-25T18:39:42Z