Difference between revisions of "HIDS 40111"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "'''Rule ID''' 40111 '''Status''' Active rule currently published. '''Description''' This rule is a generic group level event counter. It tracks authentication failures a...")
 
Line 9: Line 9:
 
'''Description'''   
 
'''Description'''   
  
This rule is a generic group level event counterIt tracks authentication failures across multiple rulesets.
+
This rule detects multiple authentication failures from the same IP, across multiple protocols.  It is a "meta" or correlation rule for ASL, where ASL will look all the activity from a source and develop a profile of the activity from that sourceIn this case, this rule evaluates all authentication failures that are detected from all the services running on the system, and evaluates if a large number of failures is detected from a single IP source.  The intent of this rule is to detect a malicious party attempting a denial of service attack, or attempting to break into the system by trying multiple passwords and/or accounts, or "brute force" password guessing.
  
The default settings are to detect 10 authentication failures in 160 seconds from a common source.
+
The default settings are to detect 10 authentication failures in 160 seconds.
  
 
'''False Positives'''
 
'''False Positives'''
  
 +
This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users or the same user causes more than 10 authentication failures within 160 seconds (this can be across multiple protocols, or the same protocol). 
 +
 +
This can also happen when large number of users from a single IP does this, or a client that can generate multiple connections at the same time (as with the IMAPX protocol) causes multiple authentication failures, or a user that has initiated multiple login failures at a high rate, or a client that has initiated multiple failures across multiple protocols within a period of time, or any combination of these.
  
 
If you believe that this is a false positive, then disable this rule or whitelist the source IP.
 
If you believe that this is a false positive, then disable this rule or whitelist the source IP.

Revision as of 13:35, 30 July 2011

Rule ID

40111

Status

Active rule currently published.

Description

This rule detects multiple authentication failures from the same IP, across multiple protocols. It is a "meta" or correlation rule for ASL, where ASL will look all the activity from a source and develop a profile of the activity from that source. In this case, this rule evaluates all authentication failures that are detected from all the services running on the system, and evaluates if a large number of failures is detected from a single IP source. The intent of this rule is to detect a malicious party attempting a denial of service attack, or attempting to break into the system by trying multiple passwords and/or accounts, or "brute force" password guessing.

The default settings are to detect 10 authentication failures in 160 seconds.

False Positives

This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users or the same user causes more than 10 authentication failures within 160 seconds (this can be across multiple protocols, or the same protocol).

This can also happen when large number of users from a single IP does this, or a client that can generate multiple connections at the same time (as with the IMAPX protocol) causes multiple authentication failures, or a user that has initiated multiple login failures at a high rate, or a client that has initiated multiple failures across multiple protocols within a period of time, or any combination of these.

If you believe that this is a false positive, then disable this rule or whitelist the source IP.

Tuning Recommendations

None.

Similar Rules

Personal tools