IPS - Brute Force Attack event

Unanswered Question
Feb 18th, 2009
User Badges:

HI all

I have an AIP-SSM on a ASA where all traffic is directed to it.

I have a WEB Server connected to the DMZ zone and users connect to it on a secure connection (HTTPS)

So my question is, if someone do a Brute Force Attack to authenticate itself, does the IPS catch this kind of attack???

does it differs on the IPS level if the server works on HTTP or HTTPS?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mo'ath Al Rawashdeh Thu, 02/19/2009 - 01:16
User Badges:
  • Bronze, 100 points or more

Hi Jorjes,


Authenticate to which service do you mean(Remote desktop, telnet, ssh, FTP,...)?

jorjes1984 Thu, 02/19/2009 - 02:44
User Badges:

Authentication to the server in the DMZ zone (web Server, Exchange, ....)

Assume there is an application in the on the server, and you connect to the Server via HTTPS

does the IPS trigger any event, if some1 keeps trying to enter wrong user name or password (asssume he is using a Brute force attack software)

Mo'ath Al Rawashdeh Thu, 02/19/2009 - 03:12
User Badges:
  • Bronze, 100 points or more

Yes, there are a number of signatures responsible for login attacks such as:


3171 : FTP priviledged login

6252 : Rlogin Authorization Failure

5726 : Active Directory Failed Login

3201 : Unix Password File Access Attempt


And many other more.


Regards,

Actions

This Discussion