Brute Force Signature and Related Trigger Conditions

If a session has the same source and destination but triggers our child signature, 40000, 10 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 40000, is looking for a "530" ftp response message after user sent "PASS" command.

If a session has the same source and destination but triggers our child signature, 40002, 100 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 40002, is looking for dns response header, if all count(Question/Answer/Authority/Additional) is 1.

If a session has the same source and destination but triggers our child signature, 31696, 30 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31696, is looking for smb SetupX with response error code 0x50001, and error code 0xc000006d for any smb command.

If a session has the same source and destination but triggers our child signature, 31706, 20 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31706, is looking for LDAP bindResponse(27), if resultCode is 49.

If a session has the same source and destination but triggers our child signature, 31708, 100 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31708, is looking for http response code 401 with "WWW-Authenticate:" in the response header.

If a session has the same source and destination but triggers our child signature, 31709, 10 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31709, works on 3 apps, smtp, pop3 and imap.

The trigger condition is found in response code 535 in smtp, "No/bad logon/login failure" pattern in imap and "-ERR" on pop3 PASS command.

If a session has the same source and destination but triggers our child signature, 31719, 25 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31719, is looking for error code 1045 on mysql clientauth stage.

If a session has the same source and destination but triggers our child signature, 31732, 10 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31732, is looking for "login incorrect" pattern in reponse packet.

If a session has the same source and same destination but triggers our child signature, 31753, 20 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31753, is looking for "Login failed for user" from response packet.

If a session has the same source and same destination but triggers our child signature, 31754, 10 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31754, is looking for  "password authentication failed for user " from response packet.

If a session has the same source and same destination but triggers our child signature, 31761, 7 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31761, is looking for  "password authentication  failed for user " from response packet.

If a session has the same source and same destination but triggers our child signature, 31763, 10 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31763, is looking for "Login failed"  from response packet.

If a session has the same source and same destination but triggers our child signature, 31764, 20 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31764, is looking for 0x1219 "Code point" with severity code 8 and security check code 0xf.

If a session has the same source and destination but triggers our child signature, 31914, 20 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31914 is alert on every connection on ssh server.

If a session has the same source and destination but triggers our child signature, 31993, 20 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31993 is looking for "INVITE" method on SIP session.

If a session has the same source and destination but triggers our child signature, 32256, 10 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 32256, is looking for either "POST /ssl-vpn/login.esp" or "POST /global-protect/login.esp" or POST /global-protect/getconfig.esp in the http URI response header.  This indicates a login attempt.

If a session has the same source and destination but triggers our child signature, 32452, 40 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 32452 is looking for HTTP request, which has content-length but without "\r\n\r\n" in the request.

If a session has the same source and destination but triggers our child signature, 32513, 12 times in 30 seconds, we call it a possible a brute force attempt.

The child signature, 32513, is looking for "%3f" on http uri path with ".aspx"

If a session has the same source and destination but triggers our child signature, 32785, 10 times in 30seconds, we call it a possible a brute force attempt.

The child signature, 32785, is looking for call number field in Asterisk message.

If a session has the same source and same destination but triggers our child signature, 33020, 8 times in 100 seconds, we call it a possible a brute force attempt.

The child signature, 33020, is looking for CONNECT action in ms-rdp request.

If a session has the same source and same destination but triggers our child signature, 33435, 40 times in 30 seconds, we call it a possible a brute force attempt.

The child signature, 33435, is looking for response code 500 and response header contain "\nX-Powered-By: ASP\.NET"

If a session has the same source and same destination but triggers our child signature, 33592, 60 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 33592, is looking for "REGISTER" SIP method.

Novell Netware AFP Remote Denial of Service Vulnerability

If a session has the same source and same destination but triggers our child signature, 34520, 20 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 34520, is looking for SIP BYE method.

If a session has the same source and same destination but triggers our child signature, 34548, 20 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 34548, is looking for HTTP response 407 and NTLM proxy authorizationi condition.

If a session has the same source and same destination but triggers our child signature, 34556, 100 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 34556, is looking for HTTP 401 response.

If a session has same source and same destination but triggers our child signature, 34767, 100 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 34767, is looking for HTTP request from HOIC tool.

If a session has same source and same destination but triggers our child signature, 34842, 250 times in 30 seconds, we call it a possible a brute force attempt.

The child signature, 34842, is looking for DNS request.

If a session has same source and same destination but triggers our child signature, 35364, 20 times in 10 seconds, we call it a possible a brute force attempt.

The child signature, 35364, is looking for an SMB Negotiate (0x72) request.  Multiple requests in a short time could be an attack for CVE-2010-0231.

This event indicates a possible a brute force attempt to authenticate as another user via COM_CHANGE_USER command to the MySQL server.
If a session has the same source and same destination but triggers our child signature, 36157,7 times in 60 seconds, we call it is a brute force attempt.

If a session has same source and same destination but triggers our child signature, 31670, 10 times in 60 seconds, we call it a possible a brute force attempt.

The child signature, 31670, is looking for ICCP COTP connection requests from unauthorized clients.

If a session has the same source and same destination but triggers our child signature, 36417, 120 times in 30 seconds, we call it a possible a brute force attempt.

The child signature, 36417, is looking for the heartbeat request in OpenSSL TLS.

This event indicates an application layer denial of service (DoS) attack using Slowhttptest DoS Attack Simulator. This signature triggers when the child signature, Slowhttptest Application Layer DoS Attack Simulator Detection (ID 37560) triggers 7 times within 30 seconds. 

The child signature, 37560, indicator of slowhttptest attack simulator traffic in HTTP request.

This signatures indicates many WebDav option request have been received in a short time which indicates some abnormal activity. 30 times within 60 secs.

The child signature, 37097, is looking for a WebDav option request.

This event indicates a possible a brute force attempt to gain access to WordPress wp-login.php. The brute force signature looks for(by default) 10 or more triggers of child signature TID: 37480 in 60 seconds. The child signature is looking for access attempts to wp-login.php. 

OpenSSL is prone to a denial-of-service vulnerability while parsing specific crafted requests. The child signature is 37784 in this case and parent signature will watch 10 hit in 60 seconds.

This detects flooding of SCTP INIT messages towards target node. This signature triggers when the child signature 38522 triggers 255 times within 2 seconds. The child signature is looking for an INIT (initiation) chunk in the SCTP packet.

This signature detects the S1AP message flooding. This signature triggers when the child signature 38536 triggers 255 times within 2 seconds. The child signature is looking for S1AP procedure code for paging in the SCTP S1AP request.

This signature detects the S1AP UE attach message flooding. This signature triggers when the child signature 38718 triggers 255 times within 2 seconds. The child signature is looking for an attach request in the SCTP S1AP request.

This signature detects a flooding of Diameter 3GPP authentication information request (AIR) messages towards target node at certain rate. This signature triggers when the child signature 38760 triggers 255 times within 2 seconds. The child signature is looking for Diameter 3GPP authentication information request (AIR) message in the SCTP request.

This signature detects a flooding of Diameter 3GPP update location request (ULR) messages towards target node at certain rate. This signature triggers when the child signature 38764 triggers 255 times within 2 seconds. The child signature is looking for Diameter 3GPP update location request (ULR) message in the SCTP request.

GTPv1-C Create PDP Context Request Flood  

This signature detects the GTPv1-C Create PDP Context Request message flooding.

This signature triggers when the child signature 39084, GTPv1-C Create PDP Context Request Message triggers 255 times within 2 seconds.

GTPv1-C Update PDP Context Request Flood 

This signature detects the GTPv1-C Update PDP Context Request message flooding.

This signature triggers when the child signature 39085, GTPv1-C Update PDP Context Request Message triggers 255 times within 2 seconds.

GTPv1-C Delete PDP Context Request Flood 

This signature detects the GTPv1-C Delete PDP Context Request message flooding.

This signature triggers when the child signature 39086, GTPv1-C Delete PDP Context Request Message triggers 255 times within 2 seconds.

OpenSSL DTLS Handshake Parsing Denial-of-Service Vulnerability

This alert indicates an HTTP 302 temporary redirection. Multiple redirections for authentication responses indicates a possible brute-force attempt on the target server.

If a session has the same source and same destination, but triggers our child signature,39290,100 times in 30 seconds, we call it is a brute force attack.

GTPv2-C Create Session Request Flood

This event indicates the flooding of 'GTPv2-C Create Session Request messages' towards target node at certain rate.

This signature triggers when the child signature 'GTPv2-C Create Session Request Message (UTID: 39575)' triggers 255 times within 2 seconds by default.

 The default parameters of the signature should be modified depending upon the network nodes and network architecture.

OpenSSH is prone to a denial of service vulnerability while parsing certain crafted SSH requests.  The vulnerability is due to the lack of proper checks on the key-exchange process in the SSH requests, leading to an exploitable denial of service.  An attacker could exploit the vulnerability by sending a crafted SSH request.  A successful attack could lead to excessive memory consumption causing a denial-of-service condition.

The child signature "OpenSSH Key Exchange Message Code 20 Detection" (33095) indicates a key-exchange message code 20 detected.  A multiple detections means an attack is try to brute-force to cause a denial-of-service condition.

Windows SMB SMBLoris Denial-of-Service Vulnerability

If a session has same source and same destination and triggers our child signature, 37713, 100 times in 10 seconds, we call it a possible a brute force attempt.The child signature is checking crafted SMB request. 

If a session has the same source and same destination but triggers our child signature, 34061, 5 times in 2 seconds, we call it a possible a brute force attempt.

The child signature, 34061, is looking for Abnormal Domain in DNS Request Question Section.

If a session has the same source and same destination but triggers our child signature, 54546, 10 times in 1 seconds, we call it a possible a brute force attempt.

The child signature, 54546, is looking for HTTP requests with small size payload in the packet.

If a session has the same source and same destination but triggers our child signature, 54547, 10 times in 5 seconds, we call it a possible a brute force attempt.

The child signature, 54547, is looking for HTTP GET Request without headers.

If a session has the same source and same destination but triggers our child signature, 37299, 50 times in 2 seconds, we call it a possible a brute force attempt.

The child signature, 37299, is looking for invalid sent-by address 0.0.0.0 in SIP requests.

If a session has the same destination but triggers our child signature, 39421, 20 times in 2 seconds, we call it is a possible a brute force attempt.

The child signature, 39421, is looking for Wordpress Load Script Action.

If a session has the same source and same destination but triggers our child signature, 55541, 30 times in 1 seconds, we call it a possible a brute force attempt.

The child signature, 55541, is looking for CirCarLife SCADA login attempt.

If a session has the same source and same destination but triggers our child signature, 56375, 25 times in 10 seconds, we call it a possible a brute force attempt.

The child signature, 56375, is looking for Yourls improper authentication attempt.

If a session has the same source and same destination but triggers our child signature, 56705, 10 times in 30 seconds, we call it a possible a brute force attempt.

The child signature, 56705, is looking for an improper input in HTTP POST request.

If a session has the same source and same destination but triggers our child signature, 56933, 10 times in 30 seconds, we call it a possible a brute force attempt.

The child signature, 56933, is looking for Craft CMS admin password reset attempt in HTTP requests.

If a session has the same source and same destination but triggers our child signature, 57028, 10 times in 10 seconds, we call it a possible a brute force attempt.

The child signature, 57028, is looking for Prima Systems FlexAir backup database download attempt in HTTP requests.

If a session has the same source and destination and triggers our child signature, 58065, 20 times in 10 seconds, we call it a possible a brute force attempt.

The child signature, 58065 is looking for Proxy-Authorization: Digest messages containing a nonce, which may be crafted to exploit CVE-2019-18679.

If a session has the same source and destination and triggers our child signature, 57685, 20 times in 10 seconds, we call it a possible a brute force attempt. This is a part of Brute Force signatures as it's based on number of hits per a given time.

The child signature, 57685 detects a WordPress WP Database Backup Download Attempt.

OKLOK is prone to an improper authentication vulnerability. An attacker could exploit the vulnerability by sending brute force crafted HTTP requests. A successful attack could lead to information disclosure with the privileges of the server. This signature triggers when the child signature, OKLOK Improper Authentication Attempt (ID 58131) triggers 20 times within 10 seconds

If a session has the same source and destination and triggers our child signature, 90884, 60 times in 10 seconds, we call it is a possible DOS attack. This is a part of Brute Force signatures as it's based on number of hits per a given time.

The child signature, 90884 detects HTTP request with cookie containing beaker.session.id.

If a session has the same source and destination and triggers our child signature, 95578, 100 times in 30 seconds, we call it is a possible privilege escalation. This is a part of Brute Force signatures as it's based on number of hits per a given time.

The child signature, 95578 detects LightSpeed Unauthenticated Request Attempt.

If a session has the same source and destination but triggers our child signature, 96010, 60 times in 5 seconds, we call it a possible a brute force attempt.

The child signature, 96010, detects failed authentication attempts to the GlobalProtect Portal and Gateway.