HIDS 40111

From Atomicorp Wiki
Revision as of 14:45, 30 July 2011 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID



Active rule currently published.


This rule detects multiple authentication failures from the same IP, across multiple protocols. It is a "meta" or correlation rule for ASL, where ASL will look all the activity from a source and develop a profile of the activity from that source. In this case, this rule evaluates all authentication failures that are detected from all the services running on the system, and evaluates if a large number of failures is detected from a single IP source. The intent of this rule is to detect a malicious party attempting a denial of service attack, or attempting to break into the system by trying multiple passwords and/or accounts, or "brute force" password guessing.

The default settings are to detect 10 authentication failures in 160 seconds.

False Positives

This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users or the same user causes more than 10 authentication failures within 160 seconds (this can be across multiple protocols, or the same protocol).

This can also happen when large number of users from a single IP does this, or a client that can generate multiple connections at the same time (as with the IMAPX protocol) causes multiple authentication failures, or a user that has initiated multiple login failures at a high rate, or a client that has initiated multiple failures across multiple protocols within a period of time, or any combination of these.

If you believe that this is a false positive, then disable this rule, using the ASL rule manager or whitelist the source IP.

Tuning Recommendations


Similar Rules

Personal tools