Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Threat Log Generation Criteria for Brute Force Parent/Child Sig... - Knowledge Base - Palo Alto Networks

Threat Log Generation Criteria for Brute Force Parent/Child Signatures

26755
Created On 03/26/19 05:40 AM - Last Modified 01/10/25 06:56 AM


Question


Brute force signatures 31993 and 40016 are getting triggered intermittently in Threat log. If an attack has the same source and destination that triggers signature 31993 20 times in 60 seconds, it will be considered a brute force attack and 40016 is triggered. 

Why does 31993 get triggered even after 40016 was triggered?

 

Answer


The trigger criteria for 40016 is 20 times in 60 seconds.
The Child Signature 31993 is triggered for the first time in the first second and for the 19th time at 29 seconds.

40016 is triggered if we see a logical match for Child Signature (31993) all subsequent times in the remaining 31 seconds of the 60 second window.
 
If the match criteria for 31993 happens 10 times after that within the 29 seconds left in the 60 seconds from the initial triggered session, all the subsequent 10 sessions will match 40016 and will be "reset-both."

Within the 60 second window, the logs below will show up in Threat logs:

  • 31993 – Triggered 19 times
  • 40016 – Triggered 10 times 

After 60 seconds, the window for signature 40016 ends, and a fresh countdown is started. 31993 will start matching, and the above scenario repeats if the criteria is hit again.
 

 

For better understanding, here's another example.

This example uses the default values for signature 40031 - HTTP Unauthorized Brute-force Attack:

  • Counter: 100 hits

  • Timer: 60 seconds

  • Aggregation Criteria: source-and-destination

 

The logic is as follows:

  • Start

    • 1st HTTP 401 detected

      • 60 second timer starts for the source and destination pair.

      • 100 hit counter starts for the source and destination pair.

 

  • Outcome 1 - Threshold reached before timer expires

    • 100th HTTP 401 detected

      • Action applied to all new HTTP connections between the source and destination pair

      • Note: In the case of the strict profile, client and server are sent resets. 

    • 60 second timer ends

      • Hit counter resets to 0

      • Timer is stopped

      • All new connections are allowed again between the source and destination pair

      • Note: this is not a rolling timer, it starts on the first hit and is not reset by further hits

 

  • Outcome 2 - Threshold not reached before timer expires

    • 60 second timer ends

      • Hit counter resets to 0

      • Timer is stopped

      • No Action triggered

Additional Information


Review the below link for information regarding Brute Force Signatures:

Brute Force Signature and Related Trigger Conditions
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 239,478
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boRMCAY&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language