Threat Log Generation Criteria for Brute Force Parent/Child Signatures

Threat Log Generation Criteria for Brute Force Parent/Child Signatures

20982
Created On 03/26/19 05:40 AM - Last Modified 03/27/19 22:58 PM


Question


Brute force signatures 31993 and 40016 are getting triggered intermittently in Threat log. If an attack has the same source and destination that triggers signature 31993 20 times in 60 seconds, it will be considered a brute force attack and 40016 is triggered. 

Why does 31993 get triggered even after 40016 was triggered?

 

Answer


The trigger criteria for 40016 is 20 times in 60 seconds.
The Child Signature 31993 is triggered for the first time in the first second and for the 19th time at 29 seconds.

40016 is triggered if we see a logical match for Child Signature (31993) all subsequent times in the remaining 31 seconds of the 60 second window.
 
If the match criteria for 31993 happens 10 times after that within the 29 seconds left in the 60 seconds from the initial triggered session, all the subsequent 10 sessions will match 40016 and will be "reset-both."

Within the 60 second window, the logs below will show up in Threat logs:
  • 31993 – Triggered 19 times
  • 40016 – Triggered 11 times 
After 60 seconds, the window for signature 40016 ends, and a fresh countdown is started. 31993 will start matching, and the above scenario repeats if the criteria is hit again.
 

Additional Information


Review the below link for information regarding Brute Force Signatures:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmpCAC
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boRMCAY&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language