HIDS 3910
Rule ID
3910
Status
Active rule currently published.
Description
This rule detects multiple login failures to the Courier IMAP and POP3 servers from the same IP. The intent of this rule is to detect a malicious party attempting to brute force guess passwords.
The default settings are to detect 10 login failure, from the same IP, within 10 seconds.
False Positives
This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users generate 10 or more failures in a second period, or 1 or more failures a second.
This can happen either with a large number of users (less probable), or an email client that can generate multiple connections at the same time (as with the IMAPX protocol, which is more probable).
If you believe that this is a false positive, then disable this rule or whitelist the source IP.
Tuning Recommendations
None.
Similar Rules
None.