Brute force and scanning signatures

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Brute force and scanning signatures

Not applicable
Box: PA-2020 (probably all)
OS Version: PANOS-3.0.6
Hi!
I have some questions and suggestions for the threat-ips part of the box.
1. Ability to view settings for scanning and brute force signatures.
- What are the settings for these signatures? I cant find for instance how many attempts/ips/ports is needed for the signature to trigger.
2. Ability to change settings on brute force and scanning signatures.
- Sometimes you want to change the default behaviour of a signature. For instance we want to change how many attempts a client needs to do before a brute force signature triggers. This is also applicable for scanning signatures.
3. More detail in signature summaries
- When looking at a SSH Brute force alarm, it states "count": 1. If its only 1 attempt its not a brute force attack Smiley Happy When checking the packet-capture data we only see 1 packet. It would be great to get more information of these "summarizing, threshold" signatures.
4. Regexp signatures
- The ability to view the regular expressions on signatures that you don't need to protect would be nice.
//Henrik
1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

Regarding the brute force signatures, we are working on opening them

up the signatures to allow administrators to change how many attempts

a client needs to do over a customizable period of time to trigger a

brute force signature. Right now, we don't expose those thresholds in

the product. So here they are:

1. 40001 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 60 seconds, we will identify it

as a brute force attack.

2. 40003 :

If a session has the same source and destination and triggers a single

login/authentication event 100 times in 60 seconds, we will identify

it as a brute force attack.

3. 40004 :

If a session has the same source and destination and triggers a single

login/authentication event 14 times in 60 seconds, we will identify it

as a brute force attack.

4. 40005 :

If a session has the same source and destination and triggers a single

login/authentication event 20 times in 60 seconds, we will identify it

as a brute force attack.

5. 40006 :

If a session has the same source and destination and triggers a single

login/authentication event 100 times in 60 seconds, we will identify

it as a brute force attack.

6. 40007 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 60 seconds, we will identify it

as a brute force attack.

7. 40008 :

If a session has the same source and destination and triggers a single

login/authentication event 25 times in 60 seconds, we will identify it

as a brute force attack.

8. 40009 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 60 seconds, we will identify it

as a brute force attack.

9. 40010 :

If a session has the same source and destination and triggers a single

login/authentication event 20 times in 60 seconds, we will identify it

as a brute force attack.

10. 40011 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 60 seconds, we will identify it

as a brute force attack.

11. 40012 :

If a session has the same source and destination and triggers a single

login/authentication event 7 times in 60 seconds, we will identify it

as a brute force attack.

12. 40013 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 60 seconds, we will identify it

as a brute force attack.

13. 40014 :

If a session has the same source and destination and triggers a single

login/authentication event 20 times in 60 seconds, we will identify it

as a brute force attack.

14. 40015 :

If a session has the same source and destination and triggers a single

login/authentication event 20 times in 60 seconds, we will identify it

as a brute force attack.

15. 40016 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 20 seconds, we will identify it

as a brute force attack.

16. 40017 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 60 seconds, we will identify it

as a brute force attack.

17. 40018 :

If a session has the same source and destination and triggers a single

login/authentication event 40 times in 60 seconds, we will identify it

as a brute force attack.

18. 40019 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 20 seconds, we will identify it

as a brute force attack.

Also, I'm not sure I understand question #4 below. If you could

explain a little bit more of what you're looking for, that would be

great.

Thanks,

Alfred

View solution in original post

13 REPLIES 13

L4 Transporter

Regarding the brute force signatures, we are working on opening them

up the signatures to allow administrators to change how many attempts

a client needs to do over a customizable period of time to trigger a

brute force signature. Right now, we don't expose those thresholds in

the product. So here they are:

1. 40001 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 60 seconds, we will identify it

as a brute force attack.

2. 40003 :

If a session has the same source and destination and triggers a single

login/authentication event 100 times in 60 seconds, we will identify

it as a brute force attack.

3. 40004 :

If a session has the same source and destination and triggers a single

login/authentication event 14 times in 60 seconds, we will identify it

as a brute force attack.

4. 40005 :

If a session has the same source and destination and triggers a single

login/authentication event 20 times in 60 seconds, we will identify it

as a brute force attack.

5. 40006 :

If a session has the same source and destination and triggers a single

login/authentication event 100 times in 60 seconds, we will identify

it as a brute force attack.

6. 40007 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 60 seconds, we will identify it

as a brute force attack.

7. 40008 :

If a session has the same source and destination and triggers a single

login/authentication event 25 times in 60 seconds, we will identify it

as a brute force attack.

8. 40009 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 60 seconds, we will identify it

as a brute force attack.

9. 40010 :

If a session has the same source and destination and triggers a single

login/authentication event 20 times in 60 seconds, we will identify it

as a brute force attack.

10. 40011 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 60 seconds, we will identify it

as a brute force attack.

11. 40012 :

If a session has the same source and destination and triggers a single

login/authentication event 7 times in 60 seconds, we will identify it

as a brute force attack.

12. 40013 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 60 seconds, we will identify it

as a brute force attack.

13. 40014 :

If a session has the same source and destination and triggers a single

login/authentication event 20 times in 60 seconds, we will identify it

as a brute force attack.

14. 40015 :

If a session has the same source and destination and triggers a single

login/authentication event 20 times in 60 seconds, we will identify it

as a brute force attack.

15. 40016 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 20 seconds, we will identify it

as a brute force attack.

16. 40017 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 60 seconds, we will identify it

as a brute force attack.

17. 40018 :

If a session has the same source and destination and triggers a single

login/authentication event 40 times in 60 seconds, we will identify it

as a brute force attack.

18. 40019 :

If a session has the same source and destination and triggers a single

login/authentication event 10 times in 20 seconds, we will identify it

as a brute force attack.

Also, I'm not sure I understand question #4 below. If you could

explain a little bit more of what you're looking for, that would be

great.

Thanks,

Alfred

Thank you soooo much, I've been looking for these for days !

While we are at it, how does denying such signature will work ? I guess the deny will be triggered after one minute (when the signature will) and starts dropping further attemps. But if the attacks stops and starts again after a few sec (or even just one), will the first attemps be allowed again for a minute ? Or am I totally wrong ?

Once the brute force signature threshold is reached will drop all

further attempts for sampling time frame. So if a signature monitors

over 60 seconds, we will drop all further attempts for 60 seconds.

After that, we will start allowing until the threshold is reached again.

Alfred

Hi

Thank you for the reply. Im glad you are working on getting the settings into the product Smiley Happy

Some clarification for #4

I'm talking about the signatures that are in the product that look for data patterns for example some sort of buffer overflow. In other products like Cisco, Juniper etc etc you are able to view the "matching pattern" (in regular expression format) for some signatures. Some of the signatures are "protected" because the vendors have agreements with Microsoft etc etc so the vendors are not allowed to give the matching patterns out.

What i'm asking for is the ability to view "what a signatures matches" for all signatures except those you need to protect (encrypt). Also the possibility to change the "matching patterns" on a signatures provided by you would be totally awesome!!

The basic use for that function would be to tune the signatures ourself until we have had time to contact you about a signature that generates alot of false positives and you have tuned the signatures and sent out a new update Smiley Happy

//Henrik

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!