Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
I am looking for clarification as to how the 'Host Type' field works in a vulnerability protection profile.
For instance, we have a profile configured to protect our DMZ with six rules as follows:
| Rule | Threat Name | CVE | Host Type | Severity | Action |
|---|---|---|---|---|---|
| client-critical | any | any | client | critical | block |
| client-high | any | any | client | high | block |
| client-medium | any | any | client | medium | alert |
| server-critical | any | any | server | critical | block |
| server-high | any | any | server | high | alert |
| server-medium | any | any | server | medium | alert |
I've noticed in the threat logs a number of 'FTP: login Brute-force attempt' triggered from the outside to the DMZ with a source of some IP in China. Clicking the detail option beside the log entry shows a direction of 'client-to-server'. Based off the details of the threat ( see below ) I would assume the rule 'client-high' would catch the brute force attempt and 'block' the threat, however, it appears it is matching under the rule 'server-high' which takes an 'alert' action. In the help menus the 'Host' field has the description "Specify whether to limit the signatures for the rule to those that are client side, server side, or either (any)." which to me is very vague. Could someone explain to me exactly what the 'host type' field does?
FTP: login Brute-force attempt
40001
This event indicates that someone is using a brute force attack to gain access to an ftp server. An FTP brute force attack is a method of defeating the cryptographic scheme by trying a large number of possible username and passwords.
