Brute Force Signature and Related Trigger Conditions

by nrice on ‎03-26-2010 04:53 PM - edited on ‎02-04-2018 11:08 PM by kkawachi (189,852 Views)

This document lists the trigger condition for each brute force signature.

 

Details

Trigger # Application Name Name Description
40001 FTP Login Brute Force Attempt

If a session has the same source and destination but triggers our child signature, 40000, 10 times in 60 seconds, we call it a brute force attack.

The child signature, 40000, is looking for a "530" ftp response message after user sent "PASS" command.

40003 DNS Spoofing Cache Record Attempt

If a session has the same source and destination but triggers our child signature, 40002, 100 times in 60 seconds, we call it is a brute force attack.

The child signature, 40002, is looking for dns reponse header, if all count(Question/Answer/Authority/Additional) is 1.

40004 SMB User Password Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31696, 30 times in 60 seconds, we call it is a brute force attack.

The child signature, 31696, is looking for smb SetupX with response error code 0x50001, and error code 0xc000006d for any smb command.

40005 LDAP User Login Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31706, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31706, is looking for LDAP bindResponse(27), if resultCode is 49.

40006 HTTP User Authentication Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31708, 100 times in 60 seconds, we call it is a brute force attack.

The child signature, 31708, is looking for http response code 401 with "WWW-Authenticate:" in the response header.

40007 MAIL User Login Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31709, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31709, works on 3 apps, smtp, pop3 and imap.

The trigger condition is found in response code 535 in smtp, "No/bad logon/login failure" pattern in imap and "-ERR" on pop3 PASS command.

40008 MY SQL Authentication Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31719, 25 times in 60 seconds, we call it is a brute force attack.

The child signature, 31719, is looking for error code 1045 on mysql clientauth stage.

40009 TELNET Authentication Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31732, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31732, is looking for "login incorrect" pattern in reponse packet.

40010 Microsoft SQL Server User Authentication Brute-force Attempt

If a session has the same source and same destination but triggers our child signature, 31753, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31753, is looking for "Login failed for user" from response packet.

40011 Postgres Database User Authentication Brute-force Attempt

If a session has the same source and same destination but triggers our child signature, 31754, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31754, is looking for  "password authentication failed for user " from response packet.

40012 Oracle Database User Authentication Brute-force Attempt

If a session has the same source and same destination but triggers our child signature, 31761, 7 times in 60 seconds, we call it is a brute force attack.

The child signature, 31761, is looking for  "password authentication  failed for user " from response packet.

40013 Sybase Database User Authentication Brute-force Attempt

If a session has the same source and same destination but triggers our child signature, 31763, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31763, is looking for "Login failed"  from response packet.

40014 DB2 Database User Authentication Brute-force Attempt

If a session has the same source and same destination but triggers our child signature, 31764, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31764, is looking for 0x1219 "Code point" with severity code 8 and security check code 0xf.

40015 SSH User Authentication Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31914, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31914 is alert on every connection on ssh server.

40016 SIP INVITE Method Request Flood Attempt

If a session has the same source and destination but triggers our child signature, 31993, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31993 is looking for "INVITE" method on SIP session.

40017 VPN PAN BOX SSL VPN Authentication Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 32256, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 32256, is looking for "x-private-pan-sslvpn: auth-failed" from http response header.

40018 HTTP Apache Denial of Service Attempt

If a session has the same source and destination but triggers our child signature, 32452, 40 times in 60 seconds, we call it is a brute force attack.

The child signature, 32452 is looking for HTTP request, which has content-length but without "\r\n\r\n" in the request.

40019 HTTP IIS Denial of Service Attempt

If a session has the same source and destination but triggers our child signature, 32513, 10 times in 20 seconds, we call it is a brute force attack.

The child signature, 32513, is looking for "%3f" on http uri path with ".aspx"

40020 Digium Asterisk IAX2 Call Number Exhaustion Attempt

If a session has the same source and destination but triggers our child signature, 32785, 10 times in 30seconds, we call it is a brute force attack.

The child signature, 32785, is looking for call number field in Asterisk message.

40021 MS-RDP MS Remote Desktop Connect Attempt

If a session has the same source and same destination but triggers our child signature, 33020, 8 times in 100 seconds, we call it is a brute force attack.

The child signature, 33020, is looking for CONNECT action in ms-rdp request.

40022 HTTP Microsoft ASP.Net Information Leak Brute-force Attempt

If a session has the same source and same destination but triggers our child signature, 33435, 30 times in 60 seconds, we call it is a brute force attack.

The child signature, 33435, is looking for rsponse code 500 and response header contain "\nX-Powered-By: ASP\.NET"

40023 SIP SIP Register Request Attempt

If a session has the same source and same destination but triggers our child signature, 33592, 60 times in 60 seconds, we call it is a brute force attack.

The child signature, 33592, is looking for "REGISTER" SIP method.

40028 SIP SIP Bye Message Brute-force Attack

If a session has the same source and same destination but triggers our child signature, 34520, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 34520, is looking for SIP BYE method.

40030 HTTP HTTP NTLM Authentication Brute-force Attack

If a session has the same source and same destination but triggers our child signature, 34548, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 34548, is looking for HTTP response 407 and NTLM proxy authorizationi condition.

40031 HTTP HTTP Unauthorized Brute-force Attack

If a session has the same source and same destination but triggers our child signature, 34556, 100 times in 60 seconds, we call it is a brute force attack.

The child signature, 34556, is looking for HTTP 401 response.

40032 HTTP HOIC Tool Brute Force Attack

If a session has same source and same destination but triggers our child signature, 34767, 100 times in 60 seconds, we call it is a brute force attack.

The child signature, 34767, is looking for HTTP request from HOIC tool.

40033 DNS ANY Queries Brute-force DOS Attack

If a session has same source and same destination but triggers our child signature, 34842, 60 times in 60 seconds, we call it is a brute force attack.

The child signature, 34842, is looking for DNS request.

40034 SMB Microsoft Windows SMB NTLM Authentication Lack of Entropy Vulnerability

If a session has same source and same destination but triggers our child signature, 35364, 60 times in 60 seconds, we call it is a brute force attack.

The child signature, 35364, is looking for an SMB Negotiate (0x72) request.  Multiple requests in a short time could be an attack for CVE-2010-0231.

40036 MYSQL MySQL COM_CHANGE_USER Brute-force Attempt

This event indicates that someone is doing a brute force attack and tries to authenticate as another user via COM_CHANGE_USER command to the MySQL server.
If a session has the same source and same destination but triggers our child signature, 36157,7 times in 60 seconds, we call it is a brute force attempt.

40037 SCADA SCADA Password Crack Brute Force Attack

If a session has same source and same destination but triggers our child signature, 31670, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31670, is looking for ICCP COTP connection requests from unauthorized clients.

40040 DNS DGA NXDOMAIN response found

If a session has same source and same destination and triggers our child signature, 36518, 38 times in 60 seconds, we deem it a brute force attack.
The child signature, 36518, is looking for a DGA NXDOMAIN response from a DNS Server.

40044 HTTP WordPress Login Brute Force Attempt

This event indicates that someone is using a brute force attack to gain access to WordPress wp-login.php. The brute force signature looks for(by default) 10 or more triggers of child signature TID: 37480 in 60 seconds. The child signature is looking for access attempts to wp-login.php. 

40059 HTTP HTTP Request Brute Force Attack

This alert indicates an HTTP 302 temporary redirection. Multiple redirection for authentication responses indicates a possible brute-force attack on the target server.

If a session has the same source and same destination, but triggers our child signature,39290,100 times in 30 seconds, we call it is a brute force attack.

40078 SMB

Windows SMB SMBLoris Denial-of-Service Vulnerability

If a session has same source and same destination and triggers our child signature, 37713, 100 times in 10 seconds, we call it is a brute force attack.The child signature is checking crafted SMB request. 

 

In the event that the Threat ID you are looking for is not in this list, you can always view the value inside of the Vulnerability protection profile by clicking inside of the WebGUI on Objects > Security Profiles > Vulnerability Protection. Inside there you need to click on a profile name. In this example, we will click on default.

brute force detail 1.pngVulnerability Protection screen

Once inside there, click on Exceptions tab, then select "Show all signatures" in the lower left corner of the window. Then search on the Threat ID that you would like to see details about. 
Once you see the Threat ID you were looking for, then click on the small Pencil (edit) to the left of the Threat Name.

Note: If the threat does not show up, please ensure that you have updated your Dynamic Updates inside of Device > Dynamic Updates.

brute force detail 2.pngVulnerability profile - Exceptions screen

Once this screen is up, you will see the attributes and the time peroid that this Vulnerability will be triggered with.

brute force detail 3.pngThreat Detail screen showing the trigger details.

 

SEE ALSO

For more information on any of these threats/vulnerabilities, please visit our Threat Vault:

https://threatvault.paloaltonetworks.com/

 

owner: akawimandan

 

 

Comments
by cramirez
on ‎11-04-2013 03:39 PM

Hi,

Just wondering, Is there a reason why this info hasn't been added in the threat vulnerability DB?

by paloalto.netfos
on ‎05-28-2014 06:16 AM

Hi,

Is there any updates for it? I found a new Threat-ID 40031 HTTP Unauthorized Brute-force Attack, and would like to know which child signature is?

Regards,

Joy

by mivaldi
on ‎03-03-2015 07:06 PM

The child signature has Threat ID 34556, and was added to the list.

by paloalto.netfos
on ‎03-03-2015 07:13 PM

Thanks.

by mdeshpande
on ‎07-10-2015 08:36 AM

Wonderful Article, helped a lot..

by lawinter
on ‎04-19-2016 09:22 AM

This is awesome. Please please someone update it.

by emr_
on ‎06-15-2016 07:56 PM

New brute-force signature was added on content version 588.

high

40059

HTTP Request Brute Force Attack

Could you please update this document?

 

 

by
on ‎06-22-2016 10:30 AM

@emr_, I have updated this document with threat ID 40059, please let us know if this looks good or if there is anything else that needs to be added.

by NTTS
on ‎08-08-2016 05:12 AM

Can you please add the information for threat ID 40044, WordPress Login Brute Force Attempt?

by
on ‎10-17-2016 09:26 AM

Threat ID 40044 has been added.

by rprovan
on ‎04-21-2017 11:56 AM

Noticed that threat ID 40040 is missing.

by mivaldi
on ‎09-20-2017 03:52 PM

Threat ID 40040 has been added.

Ignite 2019
Ask Questions Get Answers Join the Live Community