HIDS 3913

From Atomicorp Wiki
Revision as of 11:33, 21 January 2014 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID

3913

Status

Active rule currently published.

Description

This rule detects multiple login failures to the Courier IMAP and POP3 servers from the same IP. The intent of this rule is to detect a malicious party attempting to slowly brute force guess passwords.

The default settings are to detect 10 login failures, from the same IP, within 1 hour.

This rule is set to level 5, which by default is below the shunning threshold. Therefore, this rule will not shun by default. If you wish to shun, please increase the level for this rule, or decrease the minimum threshold for shuns.

False Positives

This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users generate 10 or more failures within a 1 one hour period, and so so at a rate that is much slower than rules 3910 and 3912. (See the Similar Rules section at the bottom of this article). This rule only detects very slow rates of failures.

This can happen either with a large number of users using a single IP address that generate a slow rate of failures over an hour.

If you believe that this is a false positive, then disable this rule or whitelist the source IP.

Tuning Recommendations

None.

Similar Rules

HIDS_3910

HIDS_3911

HIDS_3912

Personal tools