Re: FTP IPS block

gm-douglas · ‎05-13-2009

We are getting people attempting a dictionary attack on one of our ftp servers. We have a ASA with a SSM module protecting the edge. When the attempt this attack, they trigger signature 6250 'FTP Authorization Failure' alerts.

I would like to set up a shun onto the ASA for anyone that triggers this signature more than 3 times in 5 minutes. Do I need to create a meta type signature for this or can I modify the existing signature? If I need to create a new signature for this, how would I set up the 3 times in 5 minutes part? Would this be something that would be better answered by putting in a TAC ticket?

Thanks

michael.d.brown · ‎05-13-2009

edit the signature via ASDM and under the Event counter field is where you would want to make that change. I have mine set to 5 with blocking enabled.

Details:

Event Counter-

Lets you configure how the sensor counts events. For example, you can specify that you want the sensor to send an alert only if the same signature fires 5 times for the same address set:

a.) Event Count-The number of times an event must occur before an alert is generated. The value is 1 to 65535. The default is 1.

b.) Event Count Key-The storage type used to count events for this signature. Choose attacker address, attacker address and victim port, attacker and victim addresses, attacker and victim addresses and ports, or victim address. The default is attacker address.

c.) Specify Alert Interval-Specifies the time in seconds before the event count is reset. Choose Yes or No from the drop-down list and then specify the amount of time.