I have a Network Security Platform 5.1.11.
Into Reconnaissance Policy are an attack called HTTP: HTTP Login Bruteforce Detected. I suppose that this attack use the HTTP error codes, 401 for example, to identify the login fails.
Some one know any way to tunning this attack in order to use other criterias, like a regular expresión?
there are any way to made a custom Reconnaissance pattern?
Thanks a lot
How are u?
it is described in the v7 docu?.
Hi sia! If this was false positive alerts,U can log packets and send to Support Team....If you want to write regular expresión...write snort rule...........thans..
Solved using versión seven UDS (reconnaissance).
I see several HTTP Login Bruteforce Recon alerts in SIEM from NIPS 184.108.40.206. I would like to know on what criteria these alerts are generated based on which I can let the engineering team tune.
From the above thread, is it just based on HTTP error codes ? Can any one please let me know how we need to tune these to avoid unnecessary alerts logging to SIEM.
To understand how to work with Reconnaissance Attacks please review the following articles:
In basic form most Reconnaissance Attacks are made up of a "Correlated Attack" (the recon) and a "Component Attack" (the trigger).
In this case, the reconnaissance attack "HTTP: HTTP Login Brute Force Detected" alert is triggered when the "HTTP: HTTP Authentication Failure" exploit signature is triggered 5 times within 120 seconds. To prevent a glut of these alerts, once triggered, it will not trigger again for 300 seconds.
From the "View/Edit Reconnassance attacks" view for the HTTP Brute Force Detected attack:
Notice also the "Component Attacks" button. If you do not know what the component attack(s) are that trigger the reconnaissance attack you can click on that button to see them.
BTW: That particular component attack triggers when the HTTP RESPONSE CODE = 401
Hope this helps!