12-13-2013 11:17 AM - edited 03-10-2019 06:06 AM
Hi,
I have a question about static nat statement and the IPS module. Customer says that there was a brute force attack against a server on port 3389 RDP.
The IPS did not report any attack in progress, nor does it show in history there was an attack.
I think because this statement was in the router: ip nat inside source static tcp x.x.x.x 3389 (external address x.x.x.x) 3389 extendable
that the IPS did not see any problem, and therefore the traffic was not classified as rogue.
Can anyone confirm this is why IPS did not alert on the traffic, or add your thoughts?
Every 2 minutes someone was trying to login to the server from the outside. Server logs alerted customer there was a problem.
Customer removed the statement from the router, and attack ceased.
we have
internet->3925 router->asa512 w/IPS module->inside lan
thank you
12-19-2013 12:34 AM
The reason that the attack ceased when you remove the NAT is probably due to that no external access is possible any more without that NAT-statement.
The reason that you missed the attack on the IPS has two reasons:
1) To my knowledge there is no signature for failed logins to an RDP-service. So the IPS can't act on it.
2) If there had been a signature, the thresholds had to be quite tight for an attack that only happens every two minutes. That leads to higher false-positive rate or missed attacks if the thresholds are set higher.
Here it seems that your security is working as you have a second soource of input (your log-files).
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-24-2013 11:20 AM
Thanks for your answer. that makes sense to me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide