This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Vulnerability Protection - Host Type field

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Vulnerability Protection - Host Type field

MikeBull
L0 Member

‎12-11-2013 10:16 AM

I am looking for clarification as to how the 'Host Type' field works in a vulnerability protection profile.

For instance, we have a profile configured to protect our DMZ with six rules as follows:

RuleThreat NameCVEHost TypeSeverityAction
client-criticalanyanyclientcriticalblock
client-highanyanyclienthighblock
client-mediumanyanyclientmediumalert
server-criticalanyanyservercriticalblock
server-highanyanyserverhighalert
server-mediumanyanyservermediumalert

I've noticed in the threat logs a number of 'FTP: login Brute-force attempt'  triggered from the outside to the DMZ with a source of some IP in China. Clicking the detail option beside the log entry shows a direction of 'client-to-server'. Based off the details of the threat ( see below ) I would assume the rule 'client-high' would catch the brute force attempt and 'block' the threat, however, it appears it is matching under the rule 'server-high' which takes an 'alert' action. In the help menus the 'Host' field has the description "Specify whether to limit the signatures for the rule to those that are client side, server side, or either (any)."  which to me is very vague.  Could someone explain to me exactly what the 'host type' field does?

FTP: login Brute-force attempt

40001

This event indicates that someone is using a brute force attack to gain access to an ftp server. An FTP brute force attack is a method of defeating the cryptographic scheme by trying a large number of possible username and passwords.

0 Likes Likes
1 REPLY 1

gwesson
L7 Applicator

‎12-11-2013 10:47 AM

In the example you have, the host is the Server, so it'll be a "server-high" with an action of Alert. If it was a server attacking a client, or a client-targeted vulnerability, it would be a "client-high" which does have an action of block.

Effectively, the host field is equivalent to the target.

Hope this helps,

Greg

  • 3544 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks