Brute Force Signature and Related Trigger Conditions
Resolution
This document lists the trigger condition for each brute force signature.
Details
Trigger # | Application Name | Name | Description | ||
---|---|---|---|---|---|
40001 | FTP | Login Brute Force Attempt |
If a session has the same source and destination but triggers our child signature, 40000, 10 times in 60 seconds, we call it a brute force attack. The child signature, 40000, is looking for a "530" ftp response message after user sent "PASS" command. | ||
40003 | DNS | Spoofing Cache Record Attempt |
If a session has the same source and destination but triggers our child signature, 40002, 100 times in 60 seconds, we call it is a brute force attack. The child signature, 40002, is looking for dns response header, if all count(Question/Answer/Authority/Additional) is 1. | ||
40004 | SMB | User Password Brute-force Attempt |
If a session has the same source and destination but triggers our child signature, 31696, 30 times in 60 seconds, we call it is a brute force attack. The child signature, 31696, is looking for smb SetupX with response error code 0x50001, and error code 0xc000006d for any smb command. | ||
40005 | LDAP | User Login Brute-force Attempt |
If a session has the same source and destination but triggers our child signature, 31706, 20 times in 60 seconds, we call it is a brute force attack. The child signature, 31706, is looking for LDAP bindResponse(27), if resultCode is 49. | ||
40006 | HTTP | User Authentication Brute-force Attempt |
If a session has the same source and destination but triggers our child signature, 31708, 100 times in 60 seconds, we call it is a brute force attack. The child signature, 31708, is looking for http response code 401 with "WWW-Authenticate:" in the response header. | ||
40007 | User Login Brute-force Attempt |
If a session has the same source and destination but triggers our child signature, 31709, 10 times in 60 seconds, we call it is a brute force attack. The child signature, 31709, works on 3 apps, smtp, pop3 and imap. The trigger condition is found in response code 535 in smtp, "No/bad logon/login failure" pattern in imap and "-ERR" on pop3 PASS command. | |||
40008 | MY SQL | Authentication Brute-force Attempt |
If a session has the same source and destination but triggers our child signature, 31719, 25 times in 60 seconds, we call it is a brute force attack. The child signature, 31719, is looking for error code 1045 on mysql clientauth stage. | ||
40009 | TELNET | Authentication Brute-force Attempt |
If a session has the same source and destination but triggers our child signature, 31732, 10 times in 60 seconds, we call it is a brute force attack. The child signature, 31732, is looking for "login incorrect" pattern in reponse packet. | ||
40010 | Microsoft SQL Server | User Authentication Brute-force Attempt |
If a session has the same source and same destination but triggers our child signature, 31753, 20 times in 60 seconds, we call it is a brute force attack. The child signature, 31753, is looking for "Login failed for user" from response packet. | ||
40011 | Postgres Database | User Authentication Brute-force Attempt |
If a session has the same source and same destination but triggers our child signature, 31754, 10 times in 60 seconds, we call it is a brute force attack. The child signature, 31754, is looking for "password authentication failed for user " from response packet. | ||
40012 | Oracle Database | User Authentication Brute-force Attempt |
If a session has the same source and same destination but triggers our child signature, 31761, 7 times in 60 seconds, we call it is a brute force attack. The child signature, 31761, is looking for "password authentication failed for user " from response packet. | ||
40013 | Sybase Database | User Authentication Brute-force Attempt |
If a session has the same source and same destination but triggers our child signature, 31763, 10 times in 60 seconds, we call it is a brute force attack. The child signature, 31763, is looking for "Login failed" from response packet. | ||
40014 | DB2 Database | User Authentication Brute-force Attempt |
If a session has the same source and same destination but triggers our child signature, 31764, 20 times in 60 seconds, we call it is a brute force attack. The child signature, 31764, is looking for 0x1219 "Code point" with severity code 8 and security check code 0xf. | ||
40015 | SSH | User Authentication Brute-force Attempt |
If a session has the same source and destination but triggers our child signature, 31914, 20 times in 60 seconds, we call it is a brute force attack. The child signature, 31914 is alert on every connection on ssh server. | ||
40016 | SIP INVITE | Method Request Flood Attempt |
If a session has the same source and destination but triggers our child signature, 31993, 20 times in 60 seconds, we call it is a brute force attack. The child signature, 31993 is looking for "INVITE" method on SIP session. | ||
40017 | GlobalProtect | Palo Alto Networks GlobalProtect Authentication Brute-force Attempt |
If a session has the same source and destination but triggers our child signature, 32256, 10 times in 60 seconds, we call it is a brute force attack. The child signature, 32256, is looking for either "POST /ssl-vpn/login.esp" or "POST /global-protect/login.esp" in the http URI response header. This indicates a login attempt. | ||
40018 | HTTP | Apache HTTP Server Denial of Service Attempt |
If a session has the same source and destination but triggers our child signature, 32452, 40 times in 60 seconds, we call it is a brute force attack. The child signature, 32452 is looking for HTTP request, which has content-length but without "\r\n\r\n" in the request. | ||
40019 | HTTP | IIS Denial of Service Attempt |
If a session has the same source and destination but triggers our child signature, 32513, 12 times in 30 seconds, we call it is a brute force attack. The child signature, 32513, is looking for "%3f" on http uri path with ".aspx" | ||
40020 | Digium Asterisk IAX2 | Call Number Exhaustion Attempt |
If a session has the same source and destination but triggers our child signature, 32785, 10 times in 30seconds, we call it is a brute force attack. The child signature, 32785, is looking for call number field in Asterisk message. | ||
40021 | MS-RDP | MS Remote Desktop Connect Attempt |
If a session has the same source and same destination but triggers our child signature, 33020, 8 times in 100 seconds, we call it is a brute force attack. The child signature, 33020, is looking for CONNECT action in ms-rdp request. | ||
40022 | HTTP | Microsoft ASP.Net Information Leak Brute-force Attempt |
If a session has the same source and same destination but triggers our child signature, 33435, 40 times in 30 seconds, we call it is a brute force attack. The child signature, 33435, is looking for response code 500 and response header contain "\nX-Powered-By: ASP\.NET" | ||
40023 | SIP | SIP Register Message Brute Force Attack |
If a session has the same source and same destination but triggers our child signature, 33592, 60 times in 60 seconds, we call it is a brute force attack. The child signature, 33592, is looking for "REGISTER" SIP method. | ||
40025 | AFP requests |
Novell Netware AFP Remote Denial of Service Vulnerability | Novell Netware is prone to a denial of service vulnerability while parsing certain crafted AFP requests. This signature detects this DoS attack. This signature triggers when the child signature,54823, triggers 50 times within 3 seconds. | ||
40028 | SIP | SIP Bye Message Brute-force Attack |
If a session has the same source and same destination but triggers our child signature, 34520, 20 times in 60 seconds, we call it is a brute force attack. The child signature, 34520, is looking for SIP BYE method. | ||
40030 | HTTP | HTTP NTLM Authentication Brute-force Attack |
If a session has the same source and same destination but triggers our child signature, 34548, 20 times in 60 seconds, we call it is a brute force attack. The child signature, 34548, is looking for HTTP response 407 and NTLM proxy authorizationi condition. | ||
40031 | HTTP | HTTP Unauthorized Brute-force Attack |
If a session has the same source and same destination but triggers our child signature, 34556, 100 times in 60 seconds, we call it is a brute force attack. The child signature, 34556, is looking for HTTP 401 response. | ||
40032 | HTTP | HOIC Tool Brute Force Attack |
If a session has same source and same destination but triggers our child signature, 34767, 100 times in 60 seconds, we call it is a brute force attack. The child signature, 34767, is looking for HTTP request from HOIC tool. | ||
40033 | DNS | ANY Queries Brute-force DOS Attack |
If a session has same source and same destination but triggers our child signature, 34842, 250 times in 30 seconds, we call it is a brute force attack. The child signature, 34842, is looking for DNS request. | ||
40034 | SMB | Microsoft Windows SMB NTLM Authentication Lack of Entropy Vulnerability |
If a session has same source and same destination but triggers our child signature, 35364, 20 times in 10 seconds, we call it is a brute force attack. The child signature, 35364, is looking for an SMB Negotiate (0x72) request. Multiple requests in a short time could be an attack for CVE-2010-0231. | ||
40036 | MYSQL | MySQL COM_CHANGE_USER Brute-force Attempt |
This event indicates that someone is doing a brute force attack and tries to authenticate as another user via COM_CHANGE_USER command to the MySQL server. | ||
40037 | SCADA | SCADA Password Crack Brute Force Attack |
If a session has same source and same destination but triggers our child signature, 31670, 10 times in 60 seconds, we call it is a brute force attack. The child signature, 31670, is looking for ICCP COTP connection requests from unauthorized clients. | ||
40038 | NTP | NTP Amplification Denial-Of-Service Attack | If a session has same source and same destination but triggers our child signature, 36343, 255 times in 10 seconds, we call it is a brute force attack. The child signature, 36343, is looking for MON_GETLIST or MON_GETLIST_1 ( 0x2a or 0x14). This is related to CVE-2013-5211. | ||
40039 | TLS | OpenSSL TLS Heartbeat Brute Force - Heartbleed |
If a session has the same source and same destination but triggers our child signature, 36417, 120 times in 30 seconds, we call it is a brute force attack. The child signature, 36417, is looking for the heartbeat request in OpenSSL TLS. | ||
40042 | HTTP | Slowhttptest Denial-of-Service Attempt |
This event indicates an application layer denial of service (DoS) attack using Slowhttptest DoS Attack Simulator. This signature triggers when the child signature, Slowhttptest Application Layer DoS Attack Simulator Detection (ID 37560) triggers 7 times within 30 seconds. The child signature, 37560, indicator of slowhttptest attack simulator traffic in HTTP request. | ||
40043 | HTTP | WebDav Option Request Abnormal |
This signatures indicates many WebDav option request have been received in a short time which indicates some abnormal activity. 30 times within 60 secs. The child signature, 37097, is looking for a WebDav option request. | ||
40044 | HTTP | WordPress Login Brute Force Attempt |
This event indicates that someone is using a brute force attack to gain access to WordPress wp-login.php. The brute force signature looks for(by default) 10 or more triggers of child signature TID: 37480 in 60 seconds. The child signature is looking for access attempts to wp-login.php. | ||
40045 | HTTP | WordPress Login Brute Force Attempt |
OpenSSL is prone to a denial-of-service vulnerability while parsing specific crafted requests. The child signature is 37784 in this case and parent signature will watch 10 hit in 60 seconds. | ||
40047 | SCTP | SCTP INIT Flood Attack |
This detects flooding of SCTP INIT messages towards target node. This signature triggers when the child signature 38522 triggers 255 times within 2 seconds. The child signature is looking for an INIT (initiation) chunk in the SCTP packet. | ||
40048 | SCTP | S1AP Paging Flood |
This signature detects the S1AP message flooding. This signature triggers when the child signature 38536 triggers 255 times within 2 seconds. The child signature is looking for S1AP procedure code for paging in the SCTP S1AP request. | ||
40049 | SCTP | S1AP UE Attach Request Flood |
This signature detects the S1AP UE attach message flooding. This signature triggers when the child signature 38718 triggers 255 times within 2 seconds. The child signature is looking for an attach request in the SCTP S1AP request. | ||
40059 | SSL |
|
This alert indicates an HTTP 302 temporary redirection. Multiple redirections for authentication responses indicates a possible brute-force attack on the target server. If a session has the same source and same destination, but triggers our child signature,39290,100 times in 30 seconds, we call it is a brute force attack. | ||
40071 | SSH | OpenSSH Denial of Service Vulnerability |
OpenSSH is prone to a denial of service vulnerability while parsing certain crafted SSH requests. The vulnerability is due to the lack of proper checks on the key-exchange process in the SSH requests, leading to an exploitable denial of service. An attacker could exploit the vulnerability by sending a crafted SSH request. A successful attack could lead to excessive memory consumption causing a denial-of-service condition. | ||
40078 | SMB |
Windows SMB SMBLoris Denial-of-Service Vulnerability |
If a session has same source and same destination and triggers our child signature, 37713, 100 times in 10 seconds, we call it is a brute force attack.The child signature is checking crafted SMB request. | ||
40087 | DNS | DNS Tunnel Data Exfiltration Traffic Brute Force |
If a session has the same source and same destination but triggers our child signature, 34061, 5 times in 2 seconds, we call it is a brute force attack. The child signature, 34061, is looking for Abnormal Domain in DNS Request Question Section. | ||
40093 | HTTP | Torshammer HTTP DoS Attack Brute Force Detection |
If a session has the same source and same destination but triggers our child signature, 54546, 10 times in 1 seconds, we call it is a brute force attack. The child signature, 54546, is looking for HTTP requests with only one byte payload in the packet. | ||
40094 | HTTP | Slowloris HTTP Flooding Denial-of-Service Brute Force Attempt Detection |
If a session has the same source and same destination but triggers our child signature, 54547, 10 times in 5 seconds, we call it is a brute force attack. The child signature, 54547, is looking for HTTP GET Request without headers. | ||
40097 | Cisco Adaptive Security Appliance Software | Cisco Adaptive Security Appliance Software Denial-of-Service Brute Force Vulnerability |
If a session has the same source and same destination but triggers our child signature, 37299, 50 times in 2 seconds, we call it is a brute force attack. The child signature, 37299, is looking for invalid sent-by address 0.0.0.0 in SIP requests. | ||
40098 | WordPress | WordPress Load Script Denial-of-Service Brute Force Vulnerability |
If a session has the same destination but triggers our child signature, 39421, 20 times in 2 seconds, we call it is a brute force attack. The child signature, 39421, is looking for Wordpress Load Script Action. | ||
40101 | CirCarLife SCADA | CirCarLife SCADA Brute Force Attempt Detection |
If a session has the same source and same destination but triggers our child signature, 55541, 30 times in 1 seconds, we call it is a brute force attack. The child signature, 55541, is looking for CirCarLife SCADA login attempt. | ||
40104 | SSH | SSH Failed Brute-force Authentication Attempt | If a session has the same source and same destination but triggers our child signature, 55873, 20 times in 60 seconds, we call it is a brute force attack. The child signature, 55873, is looking for SSH2 failed login attempt. | ||
40106 | Yourls | Yourls Improper Authentication Brute Force Vulnerability |
If a session has the same source and same destination but triggers our child signature, 56375, 25 times in 10 seconds, we call it is a brute force attack. The child signature, 56375, is looking for Yourls improper authentication attempt. | ||
40109 | Compal CH7465LG | Compal CH7465LG Improper Input Validation Brute-Force Attempt Detection |
If a session has the same source and same destination but triggers our child signature, 56705, 10 times in 30 seconds, we call it is a brute force attack. The child signature, 56705, is looking for an improper input in HTTP POST request. | ||
40111 | Craft CMS | Craft CMS Improper Authentication Brute-Force Attempt Detection |
If a session has the same source and same destination but triggers our child signature, 56933, 10 times in 30 seconds, we call it is a brute force attack. The child signature, 56933, is looking for Craft CMS admin password reset attempt in HTTP requests. | ||
40112 | Prima Systems FlexAir | Prima Systems FlexAir Backup Database Download Brute-Force Attempt Detection |
If a session has the same source and same destination but triggers our child signature, 57028, 10 times in 10 seconds, we call it is a brute force attack. The child signature, 57028, is looking for Prima Systems FlexAir backup database download attempt in HTTP requests. | ||
40119 | Squid | Squid Integer Overflow Vulnerability |
If a session has the same source and destination and triggers our child signature, 58065, 20 times in 10 seconds, we call it is a brute force attack. The child signature, 58065 is looking for Proxy-Authorization: Digest messages containing a nonce, which may be crafted to exploit CVE-2019-18679. | ||
40136 | Ubiquiti EdgeMAX | Denial-of-Service Vulnerability |
If a session has the same source and destination and triggers our child signature, 90884, 60 times in 10 seconds, we call it is a DOS attack. This is a part of Brute Force signatures as it's based on number of hits per a given time. The child signature, 90884 detects HTTP request with cookie containing beaker.session.id. |
In the event that the Threat ID you are looking for is not in this list, you can always view the value inside of the Vulnerability protection profile by clicking inside of the WebGUI on Objects > Security Profiles > Vulnerability Protection. Inside there you need to click on a profile name. In this example, we will click on default.
Once inside there, click on Exceptions tab, then select "Show all signatures" in the lower left corner of the window. Then search on the Threat ID that you would like to see details about.
Once you see the Threat ID you were looking for, then click on the small Pencil (edit) to the left of the Threat Name.
Note: If the threat does not show up, please ensure that you have updated your Dynamic Updates inside of Device > Dynamic Updates
Once this screen is up, you will see the attributes and the time period that this Vulnerability will be triggered with.
(
SEE ALSO
For more information on any of these threats/vulnerabilities, please visit our Threat Vault:
https://threatvault.paloaltonetworks.com/
THREAT LOG GENERATION CRITERIA FOR BRUTE FORCE PARENT/CHILD SIGNATURES
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boRMCAY
owner: akawimandan