Difference between revisions of "HIDS 40111"

From Atomicorp Wiki
Jump to: navigation, search
 
Line 19: Line 19:
 
This can also happen when large number of users from a single IP does this, or a client that can generate multiple connections at the same time (as with the IMAPX protocol) causes multiple authentication failures, or a user that has initiated multiple login failures at a high rate, or a client that has initiated multiple failures across multiple protocols within a period of time, or any combination of these.
 
This can also happen when large number of users from a single IP does this, or a client that can generate multiple connections at the same time (as with the IMAPX protocol) causes multiple authentication failures, or a user that has initiated multiple login failures at a high rate, or a client that has initiated multiple failures across multiple protocols within a period of time, or any combination of these.
  
If you believe that this is a false positive, then [[ASL_rule_manager disable this rule]] or [[whitelist the source IP]].
+
If you believe that this is a false positive, then disable this rule, using the [[ASL rule manager]] or whitelist the source IP.
  
 
'''Tuning Recommendations'''
 
'''Tuning Recommendations'''

Latest revision as of 14:45, 30 July 2011

Rule ID

40111

Status

Active rule currently published.

Description

This rule detects multiple authentication failures from the same IP, across multiple protocols. It is a "meta" or correlation rule for ASL, where ASL will look all the activity from a source and develop a profile of the activity from that source. In this case, this rule evaluates all authentication failures that are detected from all the services running on the system, and evaluates if a large number of failures is detected from a single IP source. The intent of this rule is to detect a malicious party attempting a denial of service attack, or attempting to break into the system by trying multiple passwords and/or accounts, or "brute force" password guessing.

The default settings are to detect 10 authentication failures in 160 seconds.

False Positives

This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users or the same user causes more than 10 authentication failures within 160 seconds (this can be across multiple protocols, or the same protocol).

This can also happen when large number of users from a single IP does this, or a client that can generate multiple connections at the same time (as with the IMAPX protocol) causes multiple authentication failures, or a user that has initiated multiple login failures at a high rate, or a client that has initiated multiple failures across multiple protocols within a period of time, or any combination of these.

If you believe that this is a false positive, then disable this rule, using the ASL rule manager or whitelist the source IP.

Tuning Recommendations

None.

Similar Rules

Personal tools