I see several HTTP Login Bruteforce Recon alerts in SIEM from NIPS 18.104.22.168. I would like to know on what criteria these alerts are generated based on which I can let the engineering team tune.
From the above thread, is it just based on HTTP error codes ? Can any one please let me know how we need to tune these to avoid unnecessary alerts logging to SIEM.
To understand how to work with Reconnaissance Attacks please review the following articles:
In basic form most Reconnaissance Attacks are made up of a "Correlated Attack" (the recon) and a "Component Attack" (the trigger).
In this case, the reconnaissance attack "HTTP: HTTP Login Brute Force Detected" alert is triggered when the "HTTP: HTTP Authentication Failure" exploit signature is triggered 5 times within 120 seconds. To prevent a glut of these alerts, once triggered, it will not trigger again for 300 seconds.
From the "View/Edit Reconnassance attacks" view for the HTTP Brute Force Detected attack:
Notice also the "Component Attacks" button. If you do not know what the component attack(s) are that trigger the reconnaissance attack you can click on that button to see them.
BTW: That particular component attack triggers when the HTTP RESPONSE CODE = 401
Hope this helps!