Difference between revisions of "HIDS 3358"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |header1= Rule 3358 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Multiple SASL authentication failures. }} = Description = ASL has detected m...")
 
m
 
Line 9: Line 9:
 
= Description =
 
= Description =
  
ASL has detected multiple SASL authentication failures from a single IP within a short period of time.  This specifically looks for 5 failures in 10 seconds.
+
Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols, such as pop3, imap, postfix, courier, other smtp servers and even web services.  Its most commonly used for mail services.
 +
 +
This alert means that a system or user has failed to authenticate to a service that uses SASL multiple times.  This can be an indication that someone is trying to brute force attack an account, or it could mean a client has an incorrect password and/or username and keeps trying and failing to authenticate multiple times.  This specifically looks for 5 failures in 10 seconds.
 +
 
 +
== Log example ==
 +
 
 +
''Oct 8 10:33:03 host postfix/smtpd[18908]: warning: unknown[1.2.3.4]: SASL DIGEST-MD5 authentication failed: authentication failure''
  
 
= Troubleshooting =
 
= Troubleshooting =
Line 15: Line 21:
 
== Solutions ==
 
== Solutions ==
  
If you wish to prevent ASL from shunning on these events, simply set Active Response for the rule to off.   
+
We do not recommend you disable this rule.  You could whitelist the IP, but the best solution is to fix the invalid username/password for the user. 
 +
 
 +
If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no"We do not recommend you disable active response on this rule, as this method is widely used to brute force mail, FTP and ssh servers.
  
 
== False Positives ==
 
== False Positives ==
 +
 +
The rule itself can not generate a false positive, the rule just reports when multiple login failures happen from a single IP.  If this event is not an attack, then this means the enduser has an invalid username and/or password configured for the service.  The best solution to this problem is to have the user fix their username/password so its valid.
  
 
Please do not report this as a false positive unless ASL is incorrectly reporting an event that is not a login failure for your mail server.  To report a false positive, please follow this process:
 
Please do not report this as a false positive unless ASL is incorrectly reporting an event that is not a login failure for your mail server.  To report a false positive, please follow this process:

Latest revision as of 13:46, 24 September 2014

Rule 3358
Status Active
Alert Message Multiple SASL authentication failures.

Contents

[edit] Description

Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols, such as pop3, imap, postfix, courier, other smtp servers and even web services. Its most commonly used for mail services.

This alert means that a system or user has failed to authenticate to a service that uses SASL multiple times. This can be an indication that someone is trying to brute force attack an account, or it could mean a client has an incorrect password and/or username and keeps trying and failing to authenticate multiple times. This specifically looks for 5 failures in 10 seconds.

[edit] Log example

Oct 8 10:33:03 host postfix/smtpd[18908]: warning: unknown[1.2.3.4]: SASL DIGEST-MD5 authentication failed: authentication failure

[edit] Troubleshooting

[edit] Solutions

We do not recommend you disable this rule. You could whitelist the IP, but the best solution is to fix the invalid username/password for the user.

If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no". We do not recommend you disable active response on this rule, as this method is widely used to brute force mail, FTP and ssh servers.

[edit] False Positives

The rule itself can not generate a false positive, the rule just reports when multiple login failures happen from a single IP. If this event is not an attack, then this means the enduser has an invalid username and/or password configured for the service. The best solution to this problem is to have the user fix their username/password so its valid.

Please do not report this as a false positive unless ASL is incorrectly reporting an event that is not a login failure for your mail server. To report a false positive, please follow this process:

https://www.atomicorp.com/wiki/index.php/Reporting_False_Positives

[edit] Additional Information

[edit] Similar Rules

HIDS_3359

HIDS_3360

HIDS_60904

HIDS_60905

HIDS_60906

[edit] Knowledge Base Articles

None.

[edit] External Articles

None.

Personal tools