Hi EJaspe,
Please help us clarify your questions.
- Are you seeing the threat log "HTTP Unauthorized Brute Force Attack - ID 40031" which destination IP address is the fileserver? If so, the fileserver is also running as a web server, right? - Do you want to know if the web access was performed by using IP address or hostname? In that case, you can look at the HTTP Host header. The logging must be enabled on the web server to see it in the log. Or you can capture the traffic and check.
You can refer to the following KB to see how the signature detects the brute force. Brute Force Signature and Related Trigger Conditions https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmpCAC
40031 - HTTP Unauthorized Brute-force Attack "If a session has the same source and same destination but triggers our child signature, 34556, 100 times in 60 seconds, we call it is a brute force attack. The child signature, 34556, is looking for HTTP 401 response."
As you see, it can trigger regardless of the way of access using IP address or hostname, and also regardless of where the access is coming from (internal or external).
# By the way, this thread was already marked as 'resolved' about 2 years ago. You may want to post a new one from the next time onwards if you have a new inquiry.
... View more