IPS - Brute Force Attack event

Unanswered Question
Feb 18th, 2009

HI all

I have an AIP-SSM on a ASA where all traffic is directed to it.

I have a WEB Server connected to the DMZ zone and users connect to it on a secure connection (HTTPS)

So my question is, if someone do a Brute Force Attack to authenticate itself, does the IPS catch this kind of attack???

does it differs on the IPS level if the server works on HTTP or HTTPS?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jorjes1984 Thu, 02/19/2009 - 02:44

Authentication to the server in the DMZ zone (web Server, Exchange, ....)

Assume there is an application in the on the server, and you connect to the Server via HTTPS

does the IPS trigger any event, if some1 keeps trying to enter wrong user name or password (asssume he is using a Brute force attack software)

Mo'ath Al Rawashdeh Thu, 02/19/2009 - 03:12

Yes, there are a number of signatures responsible for login attacks such as:

3171 : FTP priviledged login

6252 : Rlogin Authorization Failure

5726 : Active Directory Failed Login

3201 : Unix Password File Access Attempt

And many other more.



This Discussion