Difference between revisions of "HIDS 3912"

From Atomicorp Wiki
Jump to: navigation, search
m (Created page with "'''Rule ID''' 3912 '''Status''' Active rule currently published. '''Description''' This rule detects multiple login failures to the Courier IMAP and POP3 servers from the...")
 
m
 
(One intermediate revision by one user not shown)
Line 12: Line 12:
  
 
The default settings are to detect 6 login failures, from the same IP, within 60 seconds.
 
The default settings are to detect 6 login failures, from the same IP, within 60 seconds.
 +
 +
This rule does not shun by default, it only alerts.
  
 
'''False Positives'''
 
'''False Positives'''
Line 28: Line 30:
  
 
[[HIDS_3910]]
 
[[HIDS_3910]]
 +
 +
[[HIDS_3911]]
  
 
[[HIDS_3913]]
 
[[HIDS_3913]]

Latest revision as of 22:30, 20 August 2011

Rule ID

3912

Status

Active rule currently published.

Description

This rule detects multiple login failures to the Courier IMAP and POP3 servers from the same IP. The intent of this rule is to detect a malicious party attempting to brute force guess passwords.

The default settings are to detect 6 login failures, from the same IP, within 60 seconds.

This rule does not shun by default, it only alerts.

False Positives

This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users generate 6 or more failures within a 60 second period.

This can happen either with a large number of users (less probable), or an email client that can generate multiple connections at the same time (as with the IMAPX protocol, which is more probable), however because there are other rules that detect faster denail rates its very unlikely a single client would generate failures at such a slow rate.

If you believe that this is a false positive, then disable this rule or whitelist the source IP.

Tuning Recommendations

None.

Similar Rules

HIDS_3910

HIDS_3911

HIDS_3913

Personal tools