HIDS 3911

From Atomicorp Wiki
Revision as of 17:05, 26 July 2011 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID

3911

Status

Active rule currently published.

Description

This rule detects multiple login connections to the Courier IMAP and POP3 servers from the same IP. The intent of this rule is to detect a malicious party attempting to brute force guess passwords.

The default settings are to detect 30 login connections in 20 seconds.

False Positives

This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users trigger more than 30 login connections in 20 seconds. This can happen either with a large number of users, or an email client that can generate multiple connections at the same time (as with the IMAPX protocol).

If you believe that this is a false positive, then disable this rule or whitelist the source IP.

Tuning Recommendations

None.

Similar Rules

None.

Personal tools