Difference between revisions of "HIDS 3911"
(Created page with "'''Rule ID''' 3911 '''Status''' Active rule currently published. '''Description''' This rule detects multiple login connections to the Courier IMAP and POP3 servers from ...") |
m |
||
| (2 intermediate revisions by one user not shown) | |||
| Line 9: | Line 9: | ||
'''Description''' | '''Description''' | ||
| − | This rule detects multiple login connections to the Courier IMAP and POP3 servers from the same IP. The intent of this rule is to detect a malicious party attempting to brute force guess passwords. | + | This rule detects multiple login connections to the Courier IMAP and POP3 servers from the same IP. The intent of this rule is to detect a malicious party attempting a denial of service attack, or attempting to brute force guess passwords. (Please see the Similar Rules section at the bottom) |
The default settings are to detect 30 login connections in 20 seconds. | The default settings are to detect 30 login connections in 20 seconds. | ||
| + | |||
| + | '''Note: This rule does not block by default, it just alerts when this occurs.''' | ||
'''False Positives''' | '''False Positives''' | ||
| Line 25: | Line 27: | ||
'''Similar Rules''' | '''Similar Rules''' | ||
| − | + | [[HIDS_3910]] | |
| + | |||
| + | [[HIDS_3912]] | ||
| + | |||
| + | [[HIDS_3913]] | ||
Latest revision as of 18:07, 7 April 2014
Rule ID
3911
Status
Active rule currently published.
Description
This rule detects multiple login connections to the Courier IMAP and POP3 servers from the same IP. The intent of this rule is to detect a malicious party attempting a denial of service attack, or attempting to brute force guess passwords. (Please see the Similar Rules section at the bottom)
The default settings are to detect 30 login connections in 20 seconds.
Note: This rule does not block by default, it just alerts when this occurs.
False Positives
This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users trigger more than 30 login connections in 20 seconds. This can happen either with a large number of users, or an email client that can generate multiple connections at the same time (as with the IMAPX protocol).
If you believe that this is a false positive, then disable this rule or whitelist the source IP.
Tuning Recommendations
None.
Similar Rules
