06-26-2019 12:28 PM
Hello all,
I've been receiving these vulnerability alerts, ID 40031, for some time now between two servers, (DMZ to inside), using port 80 (SOAP) and the severity level is high, but I have the action set to "alert" which is the default. I truly do not know what account is trying to use this vulnerability. In the details report it shows the "destination user" since I have user-id enable on the inside zone.
These are my questions:
1. Shoud I enable user-id on the DMZ zone so I can see the user account (if even possible) that is trying to access the internal server?
2. In the detailed report it shows the "destinaion user", what does this mean specifically?
Thanks.
06-26-2019 02:15 PM
The web server being attacked should be able to log the connections, for example IIS you can enable logging to see if a login was actually attempted. When you get an alert like this you really need to look at the logs on target machine and see what/where the login attempt was coming from.
1) Depends on what you really want to do this, although since it's an HTTP unauthorized message even enabling user-id on the DMZ zone you still likely won't get the account attempting to auth.
2) Destination user is simply the user last recorded on the destination IP.
If you don't have access to the internal machine or for some reason you can't log the request then you'll need to take a packet capture on the internal connection. If its a standard 80 connection the data shouldn't be encrypted.
06-26-2019 02:15 PM
The web server being attacked should be able to log the connections, for example IIS you can enable logging to see if a login was actually attempted. When you get an alert like this you really need to look at the logs on target machine and see what/where the login attempt was coming from.
1) Depends on what you really want to do this, although since it's an HTTP unauthorized message even enabling user-id on the DMZ zone you still likely won't get the account attempting to auth.
2) Destination user is simply the user last recorded on the destination IP.
If you don't have access to the internal machine or for some reason you can't log the request then you'll need to take a packet capture on the internal connection. If its a standard 80 connection the data shouldn't be encrypted.
05-24-2022 01:15 AM
Hello All,
We have a fileserver within our internal network and they can access it locally by hostname.
I would like to ask, how if this alert is from internal access and not from external IP?
How would I know if they using web browser to access the IP of the server?
Shall I ask our Data Center Admin to check the fileserver?
Thank you in advance!
05-24-2022 10:07 PM
Hi EJaspe,
Please help us clarify your questions.
- Are you seeing the threat log "HTTP Unauthorized Brute Force Attack - ID 40031" which destination IP address is the fileserver? If so, the fileserver is also running as a web server, right?
- Do you want to know if the web access was performed by using IP address or hostname? In that case, you can look at the HTTP Host header. The logging must be enabled on the web server to see it in the log. Or you can capture the traffic and check.
You can refer to the following KB to see how the signature detects the brute force.
Brute Force Signature and Related Trigger Conditions
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmpCAC
40031 - HTTP Unauthorized Brute-force Attack
"If a session has the same source and same destination but triggers our child signature, 34556, 100 times in 60 seconds, we call it is a brute force attack. The child signature, 34556, is looking for HTTP 401 response."
As you see, it can trigger regardless of the way of access using IP address or hostname, and also regardless of where the access is coming from (internal or external).
# By the way, this thread was already marked as 'resolved' about 2 years ago. You may want to post a new one from the next time onwards if you have a new inquiry.
05-25-2022 07:41 PM
Hi Ymiyahista,
Sorry if I reply on this thread. Yes, I will create new thread if I have a new questions/concerns. By the way, here is my answer to your question to my question.
- Are you seeing the threat log "HTTP Unauthorized Brute Force Attack - ID 40031" which destination IP address is the fileserver? If so, the fileserver is also running as a web server, right?
Please help us clarify your questions.
- Are you seeing the threat log "HTTP Unauthorized Brute Force Attack - ID 40031" which destination IP address is the fileserver? If so, the fileserver is also running as a web server, right?
The destination address is from our internal fileserver itself. the source IP Address is our client's endpoint. Our client's endpoint is connected to our internal network and he is accessing it within our premises. As per our Data Center Admin, our fileserver is running locally and not by web access.
- Do you want to know if the web access was performed by using IP address or hostname? In that case, you can look at the HTTP Host header. The logging must be enabled on the web server to see it in the log. Or you can capture the traffic and check.
By accessing our fileserver, our endpoints should connected to our internal network. If the endpoint is outside the premises, they access the fileserver by connecting to VPN and access it locally.
05-25-2022 08:36 PM
Hi EJaspe,
OK, so what is the protocol? Is it SMB or HTTP?
If you are seeing the threat log "HTTP Unauthorized Brute Force Attack - ID 40031", then there must be an HTTP server which is responding with 401 status code.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
