It's been a while since I last looked at the Brute-Force RDP signature, so take this with a grain of salt. The MS-RDP Brute Force Attempt signature, by default, triggers when Vulnerability Protection signature ID 33020 (Microsoft remote desktop connect initial attempt) fires 8 times within 100 seconds. Signature ID 33020 is informational severity with default action = allow. You won't see this fire in your threat logs unless you change the action for this signature to "alert" (Also note that there are 2 different MS-RDP Brute Force signatures that you'll want to change action to Block-IP: 40021 and 40026. See pic above.) When I tested this, the signature 33020 fires each time a TCP connection is made to the RDP server. Keep in mind that this one TCP connection will allow you to try ~3 passwords before it disconnects. If you connect, try 3 wrong passwords, and get disconnected - that will be logged as 1 occurance of 33020. It's not per-password, it's per-session/connection. So, with default timings, you may have to try 3 (passwords per session) * 8 (tcp sessions) = 24 password attempts, all within 100 seconds, in order to trigger this brute force signature. In order to troubleshoot the behavior, I would do the following: - Change signature 33020 behavior to "alert" - Change signature 40021 and 40026 timing to Number of Hits = 3 within 100 seconds When configured appropriately, it can be a very powerful signature. I assisted in the deployment of a Palo Alto Networks firewall at the border of a University. They first deployed with Threat Prevention signatures in "alert" only mode. We logged 130k ms-rdp brute force attempts in a single day. 8 TCP sessions per attempt * 130k occurances = 1Mil connections. 1Mil connections * 3 passwords per connection = 3Million passwords/day. At the end of that day, we changed the action to block-ip for 300 seconds (5 minutes). The very next day the # of rdp brute force occurances was less than 2k (down from 130k!). I encouraged them to move the block-ip duration to 3600 seconds (1 hour) once they were comfortable with how the brute force signatures worked. I'm sure that would have dropped the daily 2k occurances into the low hundreds. When used properly, it can be a powerful tool. You just want to make sure you "tune it" so that you're not tagging legitimate traffic/users - and have a well-known process in place to unblock a legitimate user. Good luck!
... View more