Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2035
Views
4
Helpful
4
Replies

(1:1000122) Local - BAD-TRAFFIC SSH brute force login attempt

ramachandran.gunasekaran
Level 1
Level 1

‎05-24-2017 06:28 AM

IPS RULE:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (sid:1000122; gid:1; flow:established,to_server; content:"SSH-"; depth:4; detection_filter:track by_src, count 30, seconds 60; msg:"Local - BAD-TRAFFIC SSH brute force login attempt"; classtype:High; rev:1; metadata:service ssh; )

Observed numerous false positive events, Please suggest to avoid false positive. Most of the false positive are internal traffic.

Labels:
0 Helpful
4 Replies 4

Veronika Klauzova
Cisco Employee
Cisco Employee

‎05-24-2017 11:02 AM

Why do you think that signature triggered is false positive? Could you provide pcap capture from IPS event that triggered the IPS events? If not, please start with validation of source and destination IP's and ports in pcap, does it match properly variable set?

ramachandran.gunasekaran
Level 1
Level 1
In response to Veronika Klauzova

‎05-25-2017 03:20 AM

Hi Veronika,

thanks for the response.

Here most of them are internal traffic, If that possible to exclude internal IP in the source.

Even though it is mentioned as external in IPS rule, it also triggers the alert for internal IP.

I want to reduce the alerts in order to locate the actual brute force attack.

Kindly suggest some inputs.

below is one of the example packet text: Since the packet text is having the content "SSH-", IPS throws the alert.

L..%.ITu......E..H4.@.<...
2..
....X.....G'[ro...}F1.....
T..N...;SSH-2.0-JSCH-0.1.53
0 Helpful

Veronika Klauzova
Cisco Employee
Cisco Employee
In response to ramachandran.gunasekaran

‎05-25-2017 03:42 AM

Hello,

by default system have in EXTERNAL_NET and HOME_NET variables any value, which includes all networks (internal, external). You can verify what networks are included in those variables under FMC GUI Objects -> Object Management -> Variable set -> Default-Set -> Edit, this will display all available variable set.

It is recommended to change HOME_NET default setting and include the network range/s that the active IPS policy protects, basically all of your internal networks. EXTERNAL_NET can be kept with default settings which is any (0.0.0.0/0 network).

This will eliminate false positives that you are seeing. 

Let me know if you will have more questions on this.

Best regards,

Veronika

0 Helpful

atatistc
Cisco Employee
Cisco Employee
In response to Veronika Klauzova

‎05-31-2017 07:28 PM

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH brute force flowbit 1"; \
flow:from_server,established; \
content:"SSH-";depth:4;nocase; \
pcre:"/^SSH-[12]\.\d+/smi"; \
flowbits:set,ssh_server_banner; \
flowbits:noalert; sid:1100000;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute Force Attack"; \
flow:from_server,established; \
flowbits:isset,ssh_server_banner; \
content:"|00 00|"; \
content:"|14|"; distance:3; within:1; \
detection_filter:track by_dst, count 10, seconds 25; \
sid:11000001; )

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card