Customize the Action and Trigger Conditions for a Brute Force Signature

The firewall includes two types of predefined brute force signatures—parent signature and child signature. A child signature is a single occurrence of a traffic pattern that matches the signature. A parent signature is associated with a child signature and is triggered when multiple events occur within a time interval and match the traffic pattern defined in the child signature.
Typically, a child signature is of default action
allow
because a single event is not indicative of an attack. In most cases, the action for a child signature is set to allow so that legitimate traffic is not blocked and threat logs are not generated for non-noteworthy events. Therefore, Palo Alto Networks recommends that you only change the default action after careful consideration.
In most cases, the brute force signature is a noteworthy event because of its recurrent pattern. If you would like to customize the action for a brute-force signature, you can do one of the following:
  • Create a rule to modify the default action for all signatures in the brute force category. You can define the action to allow, alert, block, reset, or drop the traffic.
  • Define an exception for a specific signature. For example, you can search for a CVE and define an exception for it.
    For a parent signature, you can modify both the trigger conditions and the action; for a child signature you can modify the action only.
To effectively mitigate an attack, the
block-ip address
action is recommended over the drop or reset action for most brute force signatures.
  1. Create a new Vulnerability Protection profile.
    1. Select
      Objects
      Security Profiles
      Vulnerability Protection
      .
    2. Click
      Add
      and enter a
      Name
      for the Vulnerability Protection profile.
  2. Create a rule that defines the action for all signatures in a category.
    1. Select
      Rules
      , click
      Add
      and enter a
      Name
      for the rule.
    2. Set the
      Action
      . In this example, it is set to
      Block IP
      .
    3. Set
      Category
      to
      brute-force
      .
    4. (Optional) If blocking, specify whether to block based on
      Host Type
      server or client, the default is any.
    5. See Step 3 to customize the action for a specific signature.
    6. See Step 4 to customize the trigger threshold for a parent signature.
      vuln-protection-block-rule.PNG
    7. Click
      OK
      to save the rule and the profile.
  3. (
    Optional
    ) Customize the action for a specific signature.
    1. Select
      Exceptions
      and click
      Show all signatures
      to find the signature you want to modify.
      To view all the signatures in the brute-force category, search for (category contains 'brute-force').
    2. To edit a specific signature, click the predefined default action in the
      Action
      column.
      vuln-protection-signatures.PNG
    3. Set the action to
      allow
      ,
      alert
      or
      block-ip
      .
    4. If you select block-ip, complete these additional tasks:
      1. Specify the
        Time
        period (in seconds) after which to trigger the action.
      2. In the
        Track By
        field, define whether to block the IP address by
        IP source
        or by
        IP source and destination
        .
    5. Click
      OK
      .
    6. For each modified signature, select the check box in the
      Enable
      column.
    7. Click
      OK
      .
  4. Customize the trigger conditions for a parent signature.
    A parent signature that can be edited is marked with this icon: icon-edit-signature.PNG .
    In this example, the search criteria was brute force category and CVE-2008-1447.
    1. Click icon-edit-signature.PNG to edit the time attribute and the aggregation criteria for the signature.
    2. To modify the trigger threshold specify the
      Number of Hits
      per
      x
      seconds
      .
    3. Specify whether to aggregate the number of hits by
      source
      ,
      destination
      or by
      source and destination
      .
    4. Click
      OK
      .
  5. Attach this new profile to a security rule.
    1. Select
      Security
      Policies
      .
    2. Modify an existing security policy rule or
      Add
      a new rule.
    3. Select
      Actions
      .
    4. In the Profile Setting section, set the
      Profile Type
      to
      Profiles
      .
    5. Select the newly-created
      Vulnerability Protection
      profile.
    6. Click
      OK
      to save changes to the security policy rule.
  6. Save your changes.
    1. Click
      Commit
      .

Related Documentation