Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1828
Views
0
Helpful
2
Replies

Brute force on admin account - Windows Domain

gpssource
Level 1
Level 1

‎02-15-2011 01:54 PM - edited ‎03-10-2019 05:16 AM

Hello,
I have seen a rise of attempts to brute force our Administrator account on a awindows domain. I have in place, a Cisco ASA5505 w/ IPS sensor. I'd like to use the IPS sensor to automatically block IP's that brute force after x failed login attempts.

Question is, is there a signature present (we auto update and are current) which will detect this and, what do we need to do to enable / configure this to kill the connection and deny further attempts.

THIS is what I need to stop: We are getting a few hundred a day.

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            xxx
       Logon Type:      10
       Logon Process:      User32 
       Authentication Package:      Negotiate
       Workstation Name:      xxx
       Caller User Name:      xxx
       Caller Domain:      xxx
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      8728
       Transited Services:      -
       Source Network Address:      213.171.220.184
       Source Port:      9674

Labels:
0 Helpful
2 Replies 2

Farrukh Haroon
VIP Alumni
VIP Alumni

‎02-19-2011 11:22 PM

Hello

To my knowledge there is no such signature,you need to create a custom signature to achive this.

If you have Cisco MARS; you can pull these events directly in MARS and create a regex rule for the same. Add email notification to this rule as usual to ensure alerting as desired.  Windows events can either be pulled  by MARS or can be pushed using the Snare agent.

Please see this link for more details:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgHost.html#wp718623

Regards

Farrukh

0 Helpful

yantiscompany
Level 1
Level 1
In response to Farrukh Haroon

‎05-24-2011 07:50 AM

Would anyone have or know how to create a custom signature to do this.  Purchasing a MARS isn't an option for our organization, and I'm completly lost looking at the custom signature wizard.  Any help is greatly appreciated since this was the primary reason for buying the aip-ssm module, and isn't making me look good after a ccnp told me it would solve my problem.

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card