https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8354#M6169 <HTML><HEAD></HEAD><BODY><P>Hello Panse,</P><P>you can get a hold of your sales contact or call into support and open up an ehancement request regarding this.</P><P></P><P></P><P></P><P>thanks,</P><P>Stephen</P></BODY></HTML> Thu, 24 Jun 2010 22:18:27 GMT swhyte 2010-06-24T22:18:27Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8341#M6156 <HTML><HEAD></HEAD><BODY><DIV> </DIV><DIV>Box: PA-2020 (probably all)</DIV><DIV>OS Version: PANOS-3.0.6</DIV><DIV> </DIV><DIV>Hi!</DIV><DIV> </DIV><DIV>I have some questions and suggestions for the threat-ips part of the box.</DIV><DIV> </DIV><DIV>1. Ability to view settings for scanning and brute force signatures.</DIV><DIV> - What are the settings for these signatures? I cant find for instance how many attempts/ips/ports is needed for the signature to trigger.</DIV><DIV> </DIV><DIV>2. Ability to change settings on brute force and scanning signatures.</DIV><DIV> - Sometimes you want to change the default behaviour of a signature. For instance we want to change how many attempts a client needs to do before a brute force signature triggers. This is also applicable for scanning signatures.</DIV><DIV> </DIV><DIV>3. More detail in signature summaries</DIV><DIV> - When looking at a SSH Brute force alarm, it states "count": 1. If its only 1 attempt its not a brute force attack <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> When checking the packet-capture data we only see 1 packet. It would be great to get more information of these "summarizing, threshold" signatures.</DIV><DIV> </DIV><DIV>4. Regexp signatures</DIV><DIV> - The ability to view the regular expressions on signatures that you don't need to protect would be nice.</DIV><DIV> </DIV><DIV>//Henrik</DIV><DIV> </DIV><DIV> </DIV></BODY></HTML> Tue, 09 Mar 2010 13:38:40 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8341#M6156 u2521 2010-03-09T13:38:40Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8342#M6157 <HTML><HEAD></HEAD><BODY><P>Regarding the brute force signatures, we are working on opening them </P><P>up the signatures to allow administrators to change how many attempts </P><P>a client needs to do over a customizable period of time to trigger a </P><P>brute force signature. Right now, we don't expose those thresholds in </P><P>the product. So here they are:</P><P></P><P>1. 40001 <A href="FTP: login brute force attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 10 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>2. 40003 <A href="DNS: Spoofing Cache Record Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 100 times in 60 seconds, we will identify </P><P>it as a brute force attack.</P><P></P><P>3. 40004 <A href="SMB: User Password Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 14 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>4. 40005 <A href="LDAP: User Login Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 20 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>5. 40006 <A href="HTTP: User Authentication Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 100 times in 60 seconds, we will identify </P><P>it as a brute force attack.</P><P></P><P>6. 40007 <A href="MAIL: User Login Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 10 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>7. 40008 <A href="MySQL Authentication Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 25 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>8. 40009 <A href="Telnet Authentication Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 10 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>9. 40010 <A href="Microsoft SQL Server User Authentication Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 20 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>10. 40011 <A href="Postgres Database User Authentication Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 10 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>11. 40012 <A href="Oracle Database User Authentication Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 7 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>12. 40013 <A href="Sybase Database User Authentication Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 10 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>13. 40014 <A href="DB2 Database User Authentication Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 20 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>14. 40015 <A href="SSH User Authentication Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 20 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>15. 40016 <A href="SIP INVITE Method Request Flood Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 10 times in 20 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>16. 40017 <A href="VPN: PAN BOX SSL VPN Authentication Brute-force Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 10 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>17. 40018 <A href="HTTP: Apache Denial Of Service Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 40 times in 60 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>18. 40019 <A href="HTTP: IIS Denial Of Service Attempt"></A>:</P><P></P><P>If a session has the same source and destination and triggers a single </P><P>login/authentication event 10 times in 20 seconds, we will identify it </P><P>as a brute force attack.</P><P></P><P>Also, I'm not sure I understand question #4 below. If you could </P><P>explain a little bit more of what you're looking for, that would be </P><P>great.</P><P></P><P>Thanks,</P><P></P><P>Alfred</P></BODY></HTML> Tue, 09 Mar 2010 17:50:39 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8342#M6157 fredallee 2010-03-09T17:50:39Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8343#M6158 <HTML><HEAD></HEAD><BODY><P>Thank you soooo much, I've been looking for these for days !</P><P></P><P>While we are at it, how does denying such signature will work ? I guess the deny will be triggered after one minute (when the signature will) and starts dropping further attemps. But if the attacks stops and starts again after a few sec (or even just one), will the first attemps be allowed again for a minute ? Or am I totally wrong ?</P></BODY></HTML> Wed, 10 Mar 2010 13:43:50 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8343#M6158 axel.bodart 2010-03-10T13:43:50Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8344#M6159 <HTML><HEAD></HEAD><BODY><P>Once the brute force signature threshold is reached will drop all </P><P>further attempts for sampling time frame. So if a signature monitors </P><P>over 60 seconds, we will drop all further attempts for 60 seconds. </P><P>After that, we will start allowing until the threshold is reached again.</P><P></P><P>Alfred</P></BODY></HTML> Wed, 10 Mar 2010 17:17:47 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8344#M6159 fredallee 2010-03-10T17:17:47Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8345#M6160 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Thank you for the reply. Im glad you are working on getting the settings into the product <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Some clarification for #4</P><P></P><P>I'm talking about the signatures that are in the product that look for data patterns for example some sort of buffer overflow. In other products like Cisco, Juniper etc etc you are able to view the "matching pattern" (in regular expression format) for some signatures. Some of the signatures are "protected" because the vendors have agreements with Microsoft etc etc so the vendors are not allowed to give the matching patterns out.</P><P></P><P>What i'm asking for is the ability to view "what a signatures matches" for all signatures except those you need to protect (encrypt). Also the possibility to change the "matching patterns" on a signatures provided by you would be totally awesome!! </P><P></P><P>The basic use for that function would be to tune the signatures ourself until we have had time to contact you about a signature that generates alot of false positives and you have tuned the signatures and sent out a new update <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>//Henrik</P></BODY></HTML> Wed, 10 Mar 2010 22:41:09 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8345#M6160 u2521 2010-03-10T22:41:09Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8346#M6161 <HTML><HEAD></HEAD><BODY><P>I understand. We have a closed system where we don't show any of the </P><P>signatures on our box except for the custom created regex signatures </P><P>that are created by administrators. The only method that we have for </P><P>fixing signatures is currently through us. So if there are false </P><P>positives, please let support know and we will tune the signature and </P><P>release a new update. In the meantime, customers can create an </P><P>exception for that signature so that it's effectively disabled.</P><P></P><P>Alfred</P></BODY></HTML> Wed, 10 Mar 2010 22:58:17 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8346#M6161 fredallee 2010-03-10T22:58:17Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8347#M6162 <HTML><HEAD></HEAD><BODY><P>Thanks for the explanation. I have another related question : currently we are blocking threats from the level high and above as the medium level seems to be a bit to harsh a level to drop packets at. Since all thoses bruteforce attemps are medium, they are allowed. Is there a way to eitherraise the bruteforce vulnerabilities level to high or add them as blocked ?</P><P></P><P>Thansk alot !</P><P></P><P></P><P></P><P></P></BODY></HTML> Wed, 31 Mar 2010 12:59:09 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8347#M6162 axel.bodart 2010-03-31T12:59:09Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8348#M6163 <HTML><HEAD></HEAD><BODY><P>You could do this via a custom vulnerability profile, but the drawback </P><P>is that you need to manually add newly released signatures.</P><P></P><P>Alfred</P></BODY></HTML> Thu, 01 Apr 2010 06:54:09 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8348#M6163 fredallee 2010-04-01T06:54:09Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8349#M6164 <HTML><HEAD></HEAD><BODY><P>Thansk alot, that would indeed be a bit awfull to manage. So I'm left with 2 options :</P><P></P><P>1. Customize the severity level for a vulnerability (like applications), bit that's not possible, is it ? </P><P>2. Block all medium severity vulnerabilites. Would'nt that lead to too many blocked apps ?</P><P></P><P>Thaks for advises.</P></BODY></HTML> Thu, 01 Apr 2010 07:23:22 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8349#M6164 axel.bodart 2010-04-01T07:23:22Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8350#M6165 <HTML><HEAD></HEAD><BODY><P>1. Customized severity for threats is not currently possible.</P><P></P><P>2. Blocking all medium severity vulnerabilities shouldn't block apps. </P><P>If you want to block the brute force attacks, then I would turn on </P><P>blocking for medium severity for server side vulnerabilities.</P><P></P><P>Alfred</P></BODY></HTML> Fri, 02 Apr 2010 01:03:10 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8350#M6165 fredallee 2010-04-02T01:03:10Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8351#M6166 <HTML><HEAD></HEAD><BODY><P>For me it is a must to be able to at least be able to customize the severity level for a non-custom vulnerability signature. I understand that PA might not want to allow modification of their internal signatures, but modifying the severity is a very important requirement for my organization. I bet it is the same for many other organizations. After all, what it is medium for some it could be high for others, or the other way around. Everybody has a different risk tolerance.</P><P></P><P>By the other hand, it would be very useful to be able to have the ability of making a copy of an internal signature and be able to modify it to suit the customer's needs. In that way organizations can leverage the work already made by PA.</P><P></P><P>I strongly request to add the ability to customize the severity level as a feature in next releases of PAN-OS.</P><P></P><P>Thanks.</P></BODY></HTML> Sat, 03 Apr 2010 19:11:11 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8351#M6166 klomboy 2010-04-03T19:11:11Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8352#M6167 <HTML><HEAD></HEAD><BODY><P>Any news regarding the ability to view the "matching pattern" or settings for brute force and scanning signatures directly in the GUI ? Will this be available in future versions?</P><P></P><P>The ability to view the "matching pattern" is very helpful in deciding if the alarm is a false positive or not. If you have pcap active and can see the "matching pattern" you can make up your own mind if its a FP or not.</P><P></P><P>//Henrik</P></BODY></HTML> Wed, 26 May 2010 10:59:31 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8352#M6167 u2521 2010-05-26T10:59:31Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8353#M6168 <HTML><HEAD></HEAD><BODY><P>I just ran into the same requirement ... OfficeMax would like the ability to customize the severity level of a threat in our Threat DB.&nbsp; We already allow them to customize the Risk Level of an App ... they want the same ability for the Severity Level of a Threat/Spyware.</P><P></P><P>Dave Klein</P></BODY></HTML> Thu, 24 Jun 2010 13:29:48 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8353#M6168 panse 2010-06-24T13:29:48Z https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8354#M6169 <HTML><HEAD></HEAD><BODY><P>Hello Panse,</P><P>you can get a hold of your sales contact or call into support and open up an ehancement request regarding this.</P><P></P><P></P><P></P><P>thanks,</P><P>Stephen</P></BODY></HTML> Thu, 24 Jun 2010 22:18:27 GMT https://live.paloaltonetworks.com/t5/general-topics/brute-force-and-scanning-signatures/m-p/8354#M6169 swhyte 2010-06-24T22:18:27Z