Palo Alto Networks Knowledgebase: Brute Force Signature and Related Trigger Conditions

Brute Force Signature and Related Trigger Conditions

(7188 Views)
Created On 09/26/18 13:44 PM - Last Updated 09/26/18 14:00 PM
Categories:  Threat Intelligence,  Threat Prevention

Issue:


Solution:


This document lists the trigger condition for each brute force signature.

 

Details

Trigger #Application NameNameDescription
40001FTPLogin Brute Force Attempt

If a session has the same source and destination but triggers our child signature, 40000, 10 times in 60 seconds, we call it a brute force attack.

The child signature, 40000, is looking for a "530" ftp response message after user sent "PASS" command.

40003DNSSpoofing Cache Record Attempt

If a session has the same source and destination but triggers our child signature, 40002, 100 times in 60 seconds, we call it is a brute force attack.

The child signature, 40002, is looking for dns reponse header, if all count(Question/Answer/Authority/Additional) is 1.

40004SMBUser Password Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31696, 30 times in 60 seconds, we call it is a brute force attack.

The child signature, 31696, is looking for smb SetupX with response error code 0x50001, and error code 0xc000006d for any smb command.

40005LDAPUser Login Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31706, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31706, is looking for LDAP bindResponse(27), if resultCode is 49.

40006HTTPUser Authentication Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31708, 100 times in 60 seconds, we call it is a brute force attack.

The child signature, 31708, is looking for http response code 401 with "WWW-Authenticate:" in the response header.

40007MAILUser Login Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31709, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31709, works on 3 apps, smtp, pop3 and imap.

The trigger condition is found in response code 535 in smtp, "No/bad logon/login failure" pattern in imap and "-ERR" on pop3 PASS command.

40008MY SQLAuthentication Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31719, 25 times in 60 seconds, we call it is a brute force attack.

The child signature, 31719, is looking for error code 1045 on mysql clientauth stage.

40009TELNETAuthentication Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31732, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31732, is looking for "login incorrect" pattern in reponse packet.

40010Microsoft SQL ServerUser Authentication Brute-force Attempt

If a session has the same source and same destination but triggers our child signature, 31753, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31753, is looking for "Login failed for user" from response packet.

40011Postgres DatabaseUser Authentication Brute-force Attempt

If a session has the same source and same destination but triggers our child signature, 31754, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31754, is looking for  "password authentication failed for user " from response packet.

40012Oracle DatabaseUser Authentication Brute-force Attempt

If a session has the same source and same destination but triggers our child signature, 31761, 7 times in 60 seconds, we call it is a brute force attack.

The child signature, 31761, is looking for  "password authentication  failed for user " from response packet.

40013Sybase DatabaseUser Authentication Brute-force Attempt

If a session has the same source and same destination but triggers our child signature, 31763, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31763, is looking for "Login failed"  from response packet.

40014DB2 DatabaseUser Authentication Brute-force Attempt

If a session has the same source and same destination but triggers our child signature, 31764, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31764, is looking for 0x1219 "Code point" with severity code 8 and security check code 0xf.

40015SSHUser Authentication Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 31914, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31914 is alert on every connection on ssh server.

40016SIP INVITEMethod Request Flood Attempt

If a session has the same source and destination but triggers our child signature, 31993, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 31993 is looking for "INVITE" method on SIP session.

40017VPNPAN BOX SSL VPN Authentication Brute-force Attempt

If a session has the same source and destination but triggers our child signature, 32256, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 32256, is looking for "x-private-pan-sslvpn: auth-failed" from http response header.

40018HTTPApache Denial of Service Attempt

If a session has the same source and destination but triggers our child signature, 32452, 40 times in 60 seconds, we call it is a brute force attack.

The child signature, 32452 is looking for HTTP request, which has content-length but without "\r\n\r\n" in the request.

40019HTTPIIS Denial of Service Attempt

If a session has the same source and destination but triggers our child signature, 32513, 10 times in 20 seconds, we call it is a brute force attack.

The child signature, 32513, is looking for "%3f" on http uri path with ".aspx"

40020Digium Asterisk IAX2Call Number Exhaustion Attempt

If a session has the same source and destination but triggers our child signature, 32785, 10 times in 30seconds, we call it is a brute force attack.

The child signature, 32785, is looking for call number field in Asterisk message.

40021MS-RDPMS Remote Desktop Connect Attempt

If a session has the same source and same destination but triggers our child signature, 33020, 8 times in 100 seconds, we call it is a brute force attack.

The child signature, 33020, is looking for CONNECT action in ms-rdp request.

40022HTTPMicrosoft ASP.Net Information Leak Brute-force Attempt

If a session has the same source and same destination but triggers our child signature, 33435, 30 times in 60 seconds, we call it is a brute force attack.

The child signature, 33435, is looking for rsponse code 500 and response header contain "\nX-Powered-By: ASP\.NET"

40023SIPSIP Register Request Attempt

If a session has the same source and same destination but triggers our child signature, 33592, 60 times in 60 seconds, we call it is a brute force attack.

The child signature, 33592, is looking for "REGISTER" SIP method.

40028SIPSIP Bye Message Brute-force Attack

If a session has the same source and same destination but triggers our child signature, 34520, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 34520, is looking for SIP BYE method.

40030HTTPHTTP NTLM Authentication Brute-force Attack

If a session has the same source and same destination but triggers our child signature, 34548, 20 times in 60 seconds, we call it is a brute force attack.

The child signature, 34548, is looking for HTTP response 407 and NTLM proxy authorizationi condition.

40031HTTPHTTP Unauthorized Brute-force Attack

If a session has the same source and same destination but triggers our child signature, 34556, 100 times in 60 seconds, we call it is a brute force attack.

The child signature, 34556, is looking for HTTP 401 response.

40032HTTPHOIC Tool Brute Force Attack

If a session has same source and same destination but triggers our child signature, 34767, 100 times in 60 seconds, we call it is a brute force attack.

The child signature, 34767, is looking for HTTP request from HOIC tool.

40033DNSANY Queries Brute-force DOS Attack

If a session has same source and same destination but triggers our child signature, 34842, 60 times in 60 seconds, we call it is a brute force attack.

The child signature, 34842, is looking for DNS request.

40034SMBMicrosoft Windows SMB NTLM Authentication Lack of Entropy Vulnerability

If a session has same source and same destination but triggers our child signature, 35364, 60 times in 60 seconds, we call it is a brute force attack.

The child signature, 35364, is looking for an SMB Negotiate (0x72) request.  Multiple requests in a short time could be an attack for CVE-2010-0231.

40036MYSQLMySQL COM_CHANGE_USER Brute-force Attempt

This event indicates that someone is doing a brute force attack and tries to authenticate as another user via COM_CHANGE_USER command to the MySQL server.
If a session has the same source and same destination but triggers our child signature, 36157,7 times in 60 seconds, we call it is a brute force attempt.

40037SCADASCADA Password Crack Brute Force Attack

If a session has same source and same destination but triggers our child signature, 31670, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31670, is looking for ICCP COTP connection requests from unauthorized clients.

40040DNSDGA NXDOMAIN response found

If a session has same source and same destination and triggers our child signature, 36518, 38 times in 60 seconds, we deem it a brute force attack.
The child signature, 36518, is looking for a DGA NXDOMAIN response from a DNS Server.

40044HTTPWordPress Login Brute Force Attempt

This event indicates that someone is using a brute force attack to gain access to WordPress wp-login.php. The brute force signature looks for(by default) 10 or more triggers of child signature TID: 37480 in 60 seconds. The child signature is looking for access attempts to wp-login.php. 

40059HTTPHTTP Request Brute Force Attack

This alert indicates an HTTP 302 temporary redirection. Multiple redirection for authentication responses indicates a possible brute-force attack on the target server.

If a session has the same source and same destination, but triggers our child signature,39290,100 times in 30 seconds, we call it is a brute force attack.

40078SMB

Windows SMB SMBLoris Denial-of-Service Vulnerability

If a session has same source and same destination and triggers our child signature, 37713, 100 times in 10 seconds, we call it is a brute force attack.The child signature is checking crafted SMB request. 

 

In the event that the Threat ID you are looking for is not in this list, you can always view the value inside of the Vulnerability protection profile by clicking inside of the WebGUI on Objects > Security Profiles > Vulnerability Protection. Inside there you need to click on a profile name. In this example, we will click on default.

brute force detail 1.pngVulnerability Protection screen

Once inside there, click on Exceptions tab, then select "Show all signatures" in the lower left corner of the window. Then search on the Threat ID that you would like to see details about. 
Once you see the Threat ID you were looking for, then click on the small Pencil (edit) to the left of the Threat Name.

Note: If the threat does not show up, please ensure that you have updated your Dynamic Updates inside of Device > Dynamic Updates.

brute force detail 2.pngVulnerability profile - Exceptions screen

Once this screen is up, you will see the attributes and the time peroid that this Vulnerability will be triggered with.

brute force detail 3.pngThreat Detail screen showing the trigger details.

 

SEE ALSO

For more information on any of these threats/vulnerabilities, please visit our Threat Vault:

https://threatvault.paloaltonetworks.com/

 

owner: akawimandan

 

 

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmpCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: