cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
462
Views
0
Helpful
1
Replies
Highlighted
Beginner

Stealthwatch - Brute force detection

Hi all,

 

I administrate a Stealthwatch environment. It is composed of a SMC, a FC and a FS. Long ago I discovered a type of Brute force attack. But now it seems that it no longer works. I tried to replicate a brute force attack and changing the thresholds on the policy management so, but with no result

 

Trigger alarm when number of connections greater than: 1

Trigger alarm when average bytes per connection is below: 1 K

 

I open about 100 flows per minute with my brute force script. The strange thing is that Stealthwatch shows under flow search only one flow with the subject port that is the first source port used, the duration is relative to the total duration of the attack. I cannot find the other source ports. (I checked the behaviour with wireshark I see all the source ports). 

Do you have any idea what's wrong with my Stealthwatch?

 

Best regards,

 

 

1 REPLY 1
Highlighted
Enthusiast

How are your sensors seeing the brute force traffic?  Netflow or a span to your FS?  Do you maybe have the 'attacker' in one of your inside host groups and it has normalized the traffic?

Content for Community-Ad
This widget could not be displayed.