I am looking for clarification as to how the 'Host Type' field works in a vulnerability protection profile.
For instance, we have a profile configured to protect our DMZ with six rules as follows:
|Rule||Threat Name||CVE||Host Type||Severity||Action|
I've noticed in the threat logs a number of 'FTP: login Brute-force attempt' triggered from the outside to the DMZ with a source of some IP in China. Clicking the detail option beside the log entry shows a direction of 'client-to-server'. Based off the details of the threat ( see below ) I would assume the rule 'client-high' would catch the brute force attempt and 'block' the threat, however, it appears it is matching under the rule 'server-high' which takes an 'alert' action. In the help menus the 'Host' field has the description "Specify whether to limit the signatures for the rule to those that are client side, server side, or either (any)." which to me is very vague. Could someone explain to me exactly what the 'host type' field does?
FTP: login Brute-force attempt
This event indicates that someone is using a brute force attack to gain access to an ftp server. An FTP brute force attack is a method of defeating the cryptographic scheme by trying a large number of possible username and passwords.
In the example you have, the host is the Server, so it'll be a "server-high" with an action of Alert. If it was a server attacking a client, or a client-targeted vulnerability, it would be a "client-high" which does have an action of block.
Effectively, the host field is equivalent to the target.
Hope this helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!