Difference between revisions of "HIDS 5556"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "'''Rule ID''' 5556 '''Status''' Active rule currently published. '''Description''' This rule detects multiple login failures to from the same IP over a longer period o...")
 
m
 
Line 9: Line 9:
 
'''Description'''   
 
'''Description'''   
  
This rule detects multiple login failures to from the same IP over a longer period of time.  Specifically, it looks for 10 login failures within an hour.  The intent of this rule is to detect a malicious party attempting to brute force guess passwords slowly, so as to beat most brute force detection systems.
+
This rule detects multiple login failures to PAM enabled services, such as SSH, from the same IP over a longer period of time.  Specifically, it looks for 10 login failures within an hour.  The intent of this rule is to detect a malicious party attempting to brute force guess passwords slowly, so as to beat most brute force detection systems.
  
 
The default settings are to detect 10 login failure, from the same IP, within 3600 seconds (1 hour).
 
The default settings are to detect 10 login failure, from the same IP, within 3600 seconds (1 hour).

Latest revision as of 15:52, 21 March 2014

Rule ID

5556

Status

Active rule currently published.

Description

This rule detects multiple login failures to PAM enabled services, such as SSH, from the same IP over a longer period of time. Specifically, it looks for 10 login failures within an hour. The intent of this rule is to detect a malicious party attempting to brute force guess passwords slowly, so as to beat most brute force detection systems.

The default settings are to detect 10 login failure, from the same IP, within 3600 seconds (1 hour).

False Positives

This rule can be falsely triggered if multiple users are using the same IP address, such as behind a firewall and multiple users generate 10 or more failures in a one hour period.

If you believe that this is a false positive, then disable this rule or whitelist the source IP.

Tuning Recommendations

None.

Similar Rules

HIDS_3911

HIDS_3912

HIDS_3913

Personal tools