https://wiki.atomicorp.com/wiki/index.php?title=HIDS_3910&feed=atom&action=historyHIDS 3910 - Revision history2024-03-28T16:49:53ZRevision history for this page on the wikiMediaWiki 1.20.2https://wiki.atomicorp.com/wiki/index.php?title=HIDS_3910&diff=1873&oldid=prevMshinn at 16:16, 20 August 20112011-08-20T16:16:07Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:16, 20 August 2011</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 28:</td>
<td colspan="2" class="diff-lineno">Line 28:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[HIDS_3911]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[HIDS_3911]]</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">[[HIDS_3912]]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">[[HIDS_3913]]</ins></div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=HIDS_3910&diff=1770&oldid=prevMshinn at 22:09, 26 July 20112011-07-26T22:09:22Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 22:09, 26 July 2011</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 27:</td>
<td colspan="2" class="diff-lineno">Line 27:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Similar Rules'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Similar Rules'''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">None.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[HIDS_3911]]</ins></div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=HIDS_3910&diff=1768&oldid=prevMshinn: Created page with "'''Rule ID''' 3910 '''Status''' Active rule currently published. '''Description''' This rule detects multiple login failures to the Courier IMAP and POP3 servers from the..."2011-07-26T22:06:56Z<p>Created page with "'''Rule ID''' 3910 '''Status''' Active rule currently published. '''Description''' This rule detects multiple login failures to the Courier IMAP and POP3 servers from the..."</p>
<p><b>New page</b></p><div>'''Rule ID''' <br />
<br />
3910<br />
<br />
'''Status'''<br />
<br />
Active rule currently published.<br />
<br />
'''Description''' <br />
<br />
This rule detects multiple login failures to the Courier IMAP and POP3 servers from the same IP. The intent of this rule is to detect a malicious party attempting to brute force guess passwords.<br />
<br />
The default settings are to detect 10 login failure, from the same IP, within 10 seconds.<br />
<br />
'''False Positives'''<br />
<br />
This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users generate 10 or more failures in a second period, or 1 or more failures a second.<br />
<br />
This can happen either with a large number of users (less probable), or an email client that can generate multiple connections at the same time (as with the IMAPX protocol, which is more probable).<br />
<br />
If you believe that this is a false positive, then disable this rule or whitelist the source IP.<br />
<br />
'''Tuning Recommendations'''<br />
<br />
None.<br />
<br />
'''Similar Rules'''<br />
<br />
None.</div>Mshinn