topic alert tcp $EXTERNAL_NET any - in Network Security

(1:1000122) Local - BAD-TRAFFIC SSH brute force login attempt

ramachandran.gunasekaran — Wed, 24 May 2017 13:28:37 GMT

IPS RULE:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (sid:1000122; gid:1; flow:established,to_server; content:"SSH-"; depth:4; detection_filter:track by_src, count 30, seconds 60; msg:"Local - BAD-TRAFFIC SSH brute force login attempt"; classtype:High; rev:1; metadata:service ssh; )

Observed numerous false positive events, Please suggest to avoid false positive. Most of the false positive are internal traffic.

Why do you think that

Veronika Klauzova — Wed, 24 May 2017 18:02:44 GMT

Why do you think that signature triggered is false positive? Could you provide pcap capture from IPS event that triggered the IPS events? If not, please start with validation of source and destination IP's and ports in pcap, does it match properly variable set?

Hi Veronika,

ramachandran.gunasekaran — Thu, 25 May 2017 10:20:14 GMT

Hi Veronika,

thanks for the response.

Here most of them are internal traffic, If that possible to exclude internal IP in the source.

Even though it is mentioned as external in IPS rule, it also triggers the alert for internal IP.

I want to reduce the alerts in order to locate the actual brute force attack.

Kindly suggest some inputs.

below is one of the example packet text: Since the packet text is having the content "SSH-", IPS throws the alert.

L..%.ITu......E..H4.@.<...
2..
....X.....G'[ro...}F1.....
T..N...;SSH-2.0-JSCH-0.1.53

Hello,

Veronika Klauzova — Thu, 25 May 2017 10:42:07 GMT

Hello,

by default system have in EXTERNAL_NET and HOME_NET variables any value, which includes all networks (internal, external). You can verify what networks are included in those variables under FMC GUI Objects -> Object Management -> Variable set -> Default-Set -> Edit, this will display all available variable set.

It is recommended to change HOME_NET default setting and include the network range/s that the active IPS policy protects, basically all of your internal networks. EXTERNAL_NET can be kept with default settings which is any (0.0.0.0/0 network).

This will eliminate false positives that you are seeing.

Let me know if you will have more questions on this.

Best regards,

Veronika

alert tcp $EXTERNAL_NET any -

atatistc — Thu, 01 Jun 2017 02:28:07 GMT

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH brute force flowbit 1"; \
flow:from_server,established; \
content:"SSH-";depth:4;nocase; \
pcre:"/^SSH-[12]\.\d+/smi"; \
flowbits:set,ssh_server_banner; \
flowbits:noalert; sid:1100000;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute Force Attack"; \
flow:from_server,established; \
flowbits:isset,ssh_server_banner; \
content:"|00 00|"; \
content:"|14|"; distance:3; within:1; \
detection_filter:track by_dst, count 10, seconds 25; \
sid:11000001; )