Vulnerability Protection - Host Type field

cancel
Showing results for 
Search instead for 
Did you mean: 

Vulnerability Protection - Host Type field

L0 Member

I am looking for clarification as to how the 'Host Type' field works in a vulnerability protection profile.

For instance, we have a profile configured to protect our DMZ with six rules as follows:

RuleThreat NameCVEHost TypeSeverityAction
client-criticalanyanyclientcriticalblock
client-highanyanyclienthighblock
client-mediumanyanyclientmediumalert
server-criticalanyanyservercriticalblock
server-highanyanyserverhighalert
server-mediumanyanyservermediumalert

I've noticed in the threat logs a number of 'FTP: login Brute-force attempt'  triggered from the outside to the DMZ with a source of some IP in China. Clicking the detail option beside the log entry shows a direction of 'client-to-server'. Based off the details of the threat ( see below ) I would assume the rule 'client-high' would catch the brute force attempt and 'block' the threat, however, it appears it is matching under the rule 'server-high' which takes an 'alert' action. In the help menus the 'Host' field has the description "Specify whether to limit the signatures for the rule to those that are client side, server side, or either (any)."  which to me is very vague.  Could someone explain to me exactly what the 'host type' field does?

FTP: login Brute-force attempt

40001

This event indicates that someone is using a brute force attack to gain access to an ftp server. An FTP brute force attack is a method of defeating the cryptographic scheme by trying a large number of possible username and passwords.

1 REPLY 1

L7 Applicator

In the example you have, the host is the Server, so it'll be a "server-high" with an action of Alert. If it was a server attacking a client, or a client-targeted vulnerability, it would be a "client-high" which does have an action of block.

Effectively, the host field is equivalent to the target.

Hope this helps,

Greg

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!