Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1146
Views
0
Helpful
1
Replies

Stealthwatch - Brute force detection

N099321628
Level 1
Level 1

‎05-27-2020 10:35 AM

Hi all,

 

I administrate a Stealthwatch environment. It is composed of a SMC, a FC and a FS. Long ago I discovered a type of Brute force attack. But now it seems that it no longer works. I tried to replicate a brute force attack and changing the thresholds on the policy management so, but with no result

 

Trigger alarm when number of connections greater than: 1

Trigger alarm when average bytes per connection is below: 1 K

 

I open about 100 flows per minute with my brute force script. The strange thing is that Stealthwatch shows under flow search only one flow with the subject port that is the first source port used, the duration is relative to the total duration of the attack. I cannot find the other source ports. (I checked the behaviour with wireshark I see all the source ports). 

Do you have any idea what's wrong with my Stealthwatch?

 

Best regards,

 

 

Labels:
0 Helpful
1 Reply 1

rickgardner
Level 4
Level 4

‎09-23-2020 08:55 PM

How are your sensors seeing the brute force traffic?  Netflow or a span to your FS?  Do you maybe have the 'attacker' in one of your inside host groups and it has normalized the traffic?

0 Helpful
Customers Also Viewed These Support Documents