Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2138 Views 6 Replies Latest reply: Oct 31, 2013 12:06 AM by hschupp RSS
sia Newcomer 26 posts since
Nov 16, 2010
Currently Being Moderated

Mar 1, 2012 6:20 AM

Tunning HTTP: HTTP Login Bruteforce Detected

Hi.

 

I have a Network Security Platform 5.1.11.

 

Into Reconnaissance Policy are an attack called HTTP: HTTP Login Bruteforce Detected. I suppose that this attack use the HTTP error codes, 401 for example, to identify the login fails.

 

Some one know any way to tunning this attack in order to use other criterias, like a regular expresión?

 

there are any way to made a custom  Reconnaissance pattern?

 

Thanks a lot


-------------------------------------------------------------------
Pablo Rodríguez Domínguez
CISSP, CISA, ITIL Fundation V3
Principal Technical Consultant

Sistemas Informaticos Abiertos S.A. (www.sia.es)


  • nmanes Newcomer 1 posts since
    Jun 13, 2011
    Currently Being Moderated
    1. Mar 1, 2012 6:38 AM (in response to sia)
    Re: Tunning HTTP: HTTP Login Bruteforce Detected

    Hello Pablo:

     

         Nice to hear you!!

     

         Yes, you can do that... But only in v7 SW version sensors.

     

         See you

     

             Neftalí

  • rangerlj Apprentice 71 posts since
    Jan 3, 2010
    Currently Being Moderated
    3. Mar 5, 2012 4:42 AM (in response to sia)
    Re: Tunning HTTP: HTTP Login Bruteforce Detected

    Hi sia! If this was false positive alerts,U can  log  packets and send to Support Team....If you want to write regular expresión...write snort rule...........thans..

  • gandepas Newcomer 7 posts since
    Feb 4, 2013
    Currently Being Moderated
    5. Oct 24, 2013 10:32 AM (in response to sia)
    Re: Tunning HTTP: HTTP Login Bruteforce Detected

    Hi,

     

    I see several HTTP Login Bruteforce Recon alerts in SIEM from NIPS 7.1.3.5. I would like to know on what criteria these alerts are generated based on which I can let the engineering team tune.

     

    From the above thread, is it just based on HTTP error codes ? Can any one please let me know how we need to tune these to avoid unnecessary alerts logging to SIEM.

     

    Thank you.

  • hschupp Newcomer 20 posts since
    Dec 11, 2008
    Currently Being Moderated
    6. Oct 31, 2013 12:06 AM (in response to gandepas)
    Re: Tunning HTTP: HTTP Login Bruteforce Detected

    To understand how to work with Reconnaissance Attacks please review the following articles:

     

    Understanding Network Security Platform Reconnaissance Alerting (KB58405)

    Network Security Platform correlated attacks (KB60305)

     

    In basic form most Reconnaissance Attacks are made up of a "Correlated Attack"  (the recon) and a "Component Attack" (the trigger).

     

    In this case, the reconnaissance attack "HTTP: HTTP Login Brute Force Detected" alert is triggered when the "HTTP: HTTP Authentication Failure" exploit signature is triggered  5 times within 120 seconds. To prevent a glut of these alerts, once triggered, it will not trigger again for 300 seconds.

     

    From the "View/Edit Reconnassance attacks" view for the HTTP Brute Force Detected attack:

    reconhttplogonbruteforce.jpg

    Notice also the "Component Attacks" button.  If you do not know what the component attack(s) are that trigger the reconnaissance attack you can click on that button to see them.

    ComponentAttack.jpg

     

    BTW: That particular component attack triggers when the HTTP RESPONSE CODE = 401

     

    Hope this helps!

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points