Brute Force Signature and Related Trigger Conditions

If a session has the same source and destination but triggers our child signature, 40000, 10 times in 60 seconds, we call it a brute force attack.

The child signature, 40000, is looking for a "530" ftp response message after user sent "PASS" command.

If a session has the same source and destination but triggers our child signature, 40002, 100 times in 60 seconds, we call it is a brute force attack.

The child signature, 40002, is looking for dns response header, if all count(Question/Answer/Authority/Additional) is 1.

If a session has the same source and destination but triggers our child signature, 31696, 30 times in 60 seconds, we call it is a brute force attack.

The child signature, 31696, is looking for smb SetupX with response error code 0x50001, and error code 0xc000006d for any smb command.

If a session has the same source and destination but triggers our child signature, 31706, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31706, is looking for LDAP bindResponse(27), if resultCode is 49.

If a session has the same source and destination but triggers our child signature, 31708, 100 times in 60 seconds, we call it is a brute force attack.

The child signature, 31708, is looking for http response code 401 with "WWW-Authenticate:" in the response header.

If a session has the same source and destination but triggers our child signature, 31709, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31709, works on 3 apps, smtp, pop3 and imap.

The trigger condition is found in response code 535 in smtp, "No/bad logon/login failure" pattern in imap and "-ERR" on pop3 PASS command.

If a session has the same source and destination but triggers our child signature, 31719, 25 times in 60 seconds, we call it is a brute force attack.

The child signature, 31719, is looking for error code 1045 on mysql clientauth stage.

If a session has the same source and destination but triggers our child signature, 31732, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31732, is looking for "login incorrect" pattern in reponse packet.

If a session has the same source and same destination but triggers our child signature, 31753, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31753, is looking for "Login failed for user" from response packet.

If a session has the same source and same destination but triggers our child signature, 31754, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31754, is looking for  "password authentication failed for user " from response packet.

If a session has the same source and same destination but triggers our child signature, 31761, 7 times in 60 seconds, we call it is a brute force attack.

The child signature, 31761, is looking for  "password authentication  failed for user " from response packet.

If a session has the same source and same destination but triggers our child signature, 31763, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31763, is looking for "Login failed"  from response packet.

If a session has the same source and same destination but triggers our child signature, 31764, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31764, is looking for 0x1219 "Code point" with severity code 8 and security check code 0xf.

If a session has the same source and destination but triggers our child signature, 31914, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31914 is alert on every connection on ssh server.

If a session has the same source and destination but triggers our child signature, 31993, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31993 is looking for "INVITE" method on SIP session.

If a session has the same source and destination but triggers our child signature, 32256, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 32256, is looking for either "POST /ssl-vpn/login.esp" or "POST /global-protect/login.esp" in the http URI response header.  This indicates a login attempt.

If a session has the same source and destination but triggers our child signature, 32452, 40 times in 60 seconds, we call it is a brute force attack.

The child signature, 32452 is looking for HTTP request, which has content-length but without "\r\n\r\n" in the request.

If a session has the same source and destination but triggers our child signature, 32513, 12 times in 30 seconds, we call it is a brute force attack.

The child signature, 32513, is looking for "%3f" on http uri path with ".aspx"

If a session has the same source and destination but triggers our child signature, 32785, 10 times in 30seconds, we call it is a brute force attack.

The child signature, 32785, is looking for call number field in Asterisk message.

If a session has the same source and same destination but triggers our child signature, 33020, 8 times in 100 seconds, we call it is a brute force attack.

The child signature, 33020, is looking for CONNECT action in ms-rdp request.

If a session has the same source and same destination but triggers our child signature, 33435, 40 times in 30 seconds, we call it is a brute force attack.

The child signature, 33435, is looking for response code 500 and response header contain "\nX-Powered-By: ASP\.NET"

If a session has the same source and same destination but triggers our child signature, 33592, 60 times in 60 seconds, we call it is a brute force attack.

The child signature, 33592, is looking for "REGISTER" SIP method.

Novell Netware AFP Remote Denial of Service Vulnerability

If a session has the same source and same destination but triggers our child signature, 34520, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 34520, is looking for SIP BYE method.

If a session has the same source and same destination but triggers our child signature, 34548, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 34548, is looking for HTTP response 407 and NTLM proxy authorizationi condition.

If a session has the same source and same destination but triggers our child signature, 34556, 100 times in 60 seconds, we call it is a brute force attack.

The child signature, 34556, is looking for HTTP 401 response.

If a session has same source and same destination but triggers our child signature, 34767, 100 times in 60 seconds, we call it is a brute force attack.

The child signature, 34767, is looking for HTTP request from HOIC tool.

If a session has same source and same destination but triggers our child signature, 34842, 250 times in 30 seconds, we call it is a brute force attack.

The child signature, 34842, is looking for DNS request.

If a session has same source and same destination but triggers our child signature, 35364, 20 times in 10 seconds, we call it is a brute force attack.

The child signature, 35364, is looking for an SMB Negotiate (0x72) request.  Multiple requests in a short time could be an attack for CVE-2010-0231.

This event indicates that someone is doing a brute force attack and tries to authenticate as another user via COM_CHANGE_USER command to the MySQL server.
If a session has the same source and same destination but triggers our child signature, 36157,7 times in 60 seconds, we call it is a brute force attempt.

If a session has same source and same destination but triggers our child signature, 31670, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31670, is looking for ICCP COTP connection requests from unauthorized clients.

If a session has the same source and same destination but triggers our child signature, 36417, 120 times in 30 seconds, we call it is a brute force attack.

The child signature, 36417, is looking for the heartbeat request in OpenSSL TLS.

This event indicates an application layer denial of service (DoS) attack using Slowhttptest DoS Attack Simulator. This signature triggers when the child signature, Slowhttptest Application Layer DoS Attack Simulator Detection (ID 37560) triggers 7 times within 30 seconds. 

The child signature, 37560, indicator of slowhttptest attack simulator traffic in HTTP request.

This signatures indicates many WebDav option request have been received in a short time which indicates some abnormal activity. 30 times within 60 secs.

The child signature, 37097, is looking for a WebDav option request.

This event indicates that someone is using a brute force attack to gain access to WordPress wp-login.php. The brute force signature looks for(by default) 10 or more triggers of child signature TID: 37480 in 60 seconds. The child signature is looking for access attempts to wp-login.php. 

OpenSSL is prone to a denial-of-service vulnerability while parsing specific crafted requests. The child signature is 37784 in this case and parent signature will watch 10 hit in 60 seconds.

This detects flooding of SCTP INIT messages towards target node. This signature triggers when the child signature 38522 triggers 255 times within 2 seconds. The child signature is looking for an INIT (initiation) chunk in the SCTP packet.

This signature detects the S1AP message flooding. This signature triggers when the child signature 38536 triggers 255 times within 2 seconds. The child signature is looking for S1AP procedure code for paging in the SCTP S1AP request.

This signature detects the S1AP UE attach message flooding. This signature triggers when the child signature 38718 triggers 255 times within 2 seconds. The child signature is looking for an attach request in the SCTP S1AP request.

This alert indicates an HTTP 302 temporary redirection. Multiple redirections for authentication responses indicates a possible brute-force attack on the target server.

If a session has the same source and same destination, but triggers our child signature,39290,100 times in 30 seconds, we call it is a brute force attack.

OpenSSH is prone to a denial of service vulnerability while parsing certain crafted SSH requests.  The vulnerability is due to the lack of proper checks on the key-exchange process in the SSH requests, leading to an exploitable denial of service.  An attacker could exploit the vulnerability by sending a crafted SSH request.  A successful attack could lead to excessive memory consumption causing a denial-of-service condition.

The child signature "OpenSSH Key Exchange Message Code 20 Detection" (33095) indicates a key-exchange message code 20 detected.  A multiple detections means an attack is try to brute-force to cause a denial-of-service condition.

Windows SMB SMBLoris Denial-of-Service Vulnerability

If a session has same source and same destination and triggers our child signature, 37713, 100 times in 10 seconds, we call it is a brute force attack.The child signature is checking crafted SMB request. 

If a session has the same source and same destination but triggers our child signature, 34061, 5 times in 2 seconds, we call it is a brute force attack.

The child signature, 34061, is looking for Abnormal Domain in DNS Request Question Section.

If a session has the same source and same destination but triggers our child signature, 54546, 10 times in 1 seconds, we call it is a brute force attack.

The child signature, 54546, is looking for HTTP requests with only one byte payload in the packet.

If a session has the same source and same destination but triggers our child signature, 54547, 10 times in 5 seconds, we call it is a brute force attack.

The child signature, 54547, is looking for HTTP GET Request without headers.

If a session has the same source and same destination but triggers our child signature, 37299, 50 times in 2 seconds, we call it is a brute force attack.

The child signature, 37299, is looking for invalid sent-by address 0.0.0.0 in SIP requests.

If a session has the same destination but triggers our child signature, 39421, 20 times in 2 seconds, we call it is a brute force attack.

The child signature, 39421, is looking for Wordpress Load Script Action.

If a session has the same source and same destination but triggers our child signature, 55541, 30 times in 1 seconds, we call it is a brute force attack.

The child signature, 55541, is looking for CirCarLife SCADA login attempt.

If a session has the same source and same destination but triggers our child signature, 56375, 25 times in 10 seconds, we call it is a brute force attack.

The child signature, 56375, is looking for Yourls improper authentication attempt.

If a session has the same source and same destination but triggers our child signature, 56705, 10 times in 30 seconds, we call it is a brute force attack.

The child signature, 56705, is looking for an improper input in HTTP POST request.

If a session has the same source and same destination but triggers our child signature, 56933, 10 times in 30 seconds, we call it is a brute force attack.

The child signature, 56933, is looking for Craft CMS admin password reset attempt in HTTP requests.

If a session has the same source and same destination but triggers our child signature, 57028, 10 times in 10 seconds, we call it is a brute force attack.

The child signature, 57028, is looking for Prima Systems FlexAir backup database download attempt in HTTP requests.

If a session has the same source and destination and triggers our child signature, 58065, 20 times in 10 seconds, we call it is a brute force attack.

The child signature, 58065 is looking for Proxy-Authorization: Digest messages containing a nonce, which may be crafted to exploit CVE-2019-18679.

If a session has the same source and destination and triggers our child signature, 90884, 60 times in 10 seconds, we call it is a DOS attack. This is a part of Brute Force signatures as it's based on number of hits per a given time.

The child signature, 90884 detects HTTP request with cookie containing beaker.session.id.