For details on cookie usage on our site, read our Privacy Policy
Brute force and scanning signatures
- LIVEcommunity
- Discussions
- General Topics
- Brute force and scanning signatures
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-09-2010 05:38 AM
When checking the packet-capture data we only see 1 packet. It would be great to get more information of these "summarizing, threshold" signatures.- Labels:
-
Configuration
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-09-2010 09:50 AM
Regarding the brute force signatures, we are working on opening them
up the signatures to allow administrators to change how many attempts
a client needs to do over a customizable period of time to trigger a
brute force signature. Right now, we don't expose those thresholds in
the product. So here they are:
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 100 times in 60 seconds, we will identify
it as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 14 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 20 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 100 times in 60 seconds, we will identify
it as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 25 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 20 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 7 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 20 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 20 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 20 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 40 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 20 seconds, we will identify it
as a brute force attack.
Also, I'm not sure I understand question #4 below. If you could
explain a little bit more of what you're looking for, that would be
great.
Thanks,
Alfred
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-09-2010 09:50 AM
Regarding the brute force signatures, we are working on opening them
up the signatures to allow administrators to change how many attempts
a client needs to do over a customizable period of time to trigger a
brute force signature. Right now, we don't expose those thresholds in
the product. So here they are:
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 100 times in 60 seconds, we will identify
it as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 14 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 20 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 100 times in 60 seconds, we will identify
it as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 25 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 20 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 7 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 20 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 20 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 20 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 40 times in 60 seconds, we will identify it
as a brute force attack.
If a session has the same source and destination and triggers a single
login/authentication event 10 times in 20 seconds, we will identify it
as a brute force attack.
Also, I'm not sure I understand question #4 below. If you could
explain a little bit more of what you're looking for, that would be
great.
Thanks,
Alfred
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-10-2010 05:43 AM
Thank you soooo much, I've been looking for these for days !
While we are at it, how does denying such signature will work ? I guess the deny will be triggered after one minute (when the signature will) and starts dropping further attemps. But if the attacks stops and starts again after a few sec (or even just one), will the first attemps be allowed again for a minute ? Or am I totally wrong ?
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-10-2010 09:17 AM
Once the brute force signature threshold is reached will drop all
further attempts for sampling time frame. So if a signature monitors
over 60 seconds, we will drop all further attempts for 60 seconds.
After that, we will start allowing until the threshold is reached again.
Alfred
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-10-2010 02:41 PM
Hi
Thank you for the reply. Im glad you are working on getting the settings into the product
Some clarification for #4
I'm talking about the signatures that are in the product that look for data patterns for example some sort of buffer overflow. In other products like Cisco, Juniper etc etc you are able to view the "matching pattern" (in regular expression format) for some signatures. Some of the signatures are "protected" because the vendors have agreements with Microsoft etc etc so the vendors are not allowed to give the matching patterns out.
What i'm asking for is the ability to view "what a signatures matches" for all signatures except those you need to protect (encrypt). Also the possibility to change the "matching patterns" on a signatures provided by you would be totally awesome!!
The basic use for that function would be to tune the signatures ourself until we have had time to contact you about a signature that generates alot of false positives and you have tuned the signatures and sent out a new update
//Henrik
- DDOS, Brute force and referer header match options with custom signatures for app-id and vulnerability. in Custom Signatures
- The 7 byte custom signature minimum in General Topics
- Brute force not triggered in General Topics
- Custom Vulnerability Signature Name in Panorama logs in General Topics
- brute force rdp 40021 signature in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
