Difference between revisions of "HIDS 5551"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "'''Rule ID''' 5551 '''Status''' Active rule currently published. '''Description''' This rule detects multiple login failures for services that use the generic Linux Pr...")
 
m
 
Line 11: Line 11:
 
This rule detects multiple login failures for services that use the generic Linux Programmable Authentication Modules system.  The intent of this rule is to detect a malicious party attempting to brute force guess passwords.
 
This rule detects multiple login failures for services that use the generic Linux Programmable Authentication Modules system.  The intent of this rule is to detect a malicious party attempting to brute force guess passwords.
  
The default settings are to detect 6 login failure, from the same IP, within 90 seconds.
+
The default settings are to detect 8 login failure, from the same IP, within 90 seconds.
  
 
'''False Positives'''
 
'''False Positives'''
  
This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users generate 6 or more failures within 90 seconds.
+
This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users generate 8 or more failures within 90 seconds.
  
 
If you believe that this is a false positive, then disable this rule or whitelist the source IP.
 
If you believe that this is a false positive, then disable this rule or whitelist the source IP.

Latest revision as of 18:31, 3 April 2014

Rule ID

5551

Status

Active rule currently published.

Description

This rule detects multiple login failures for services that use the generic Linux Programmable Authentication Modules system. The intent of this rule is to detect a malicious party attempting to brute force guess passwords.

The default settings are to detect 8 login failure, from the same IP, within 90 seconds.

False Positives

This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users generate 8 or more failures within 90 seconds.

If you believe that this is a false positive, then disable this rule or whitelist the source IP.

Tuning Recommendations

None.

Similar Rules

HIDS_3911

HIDS_3912

HIDS_3913

Personal tools