11-16-2012 01:06 PM - edited 03-10-2019 05:49 AM
I am working on creating some custom signatures. I created one that works really well for the FTP traffic. If some one tries to login as most commonly used default user ID's their connection gets reset. Now that is great. But we have a secure FTP server and since that traffic is encrypted. Any way I can get the IPS to look at that traffic for the username or is the IPS unable to do that?
Secondly is there a signature for Brute Force attack in IPS? I can't seem to find it, we had an instance where an IP tried to log into our FTP server using a specific username for like over 100 times and IPS did not detect it.
11-19-2012 02:22 AM
You could use the following two signatures:
6250/1 - FTP Authorization Failure
21539/2 - FTP Service for IIS Denial of Service (if applicable in your case)
Regards,
Sawan Gupta
11-19-2012 12:57 PM
Thank you however it will only work for FTP, I'm trying to get something like that going for sftp too.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide