Customize the Action and Trigger Conditions for a Brute Force
The firewall includes two types of predefined brute force signatures—parent signature and child signature. A child signature is a single occurrence of a traffic pattern that matches the signature. A parent signature is associated with a child signature and is triggered when multiple events occur within a time interval and match the traffic pattern defined in the child signature.
Typically, a child signature is of default action
allowbecause a single event is not indicative of an attack. In most cases, the action for a child signature is set to allow so that legitimate traffic is not blocked and threat logs are not generated for non-noteworthy events. Therefore, Palo Alto Networks recommends that you only change the default action after careful consideration.
In most cases, the brute force signature is a noteworthy event because of its recurrent pattern. If you would like to customize the action for a brute-force signature, you can do one of the following:
- Create a rule to modify the default action for all signatures in the brute force category. You can define the action to allow, alert, block, reset, or drop the traffic.
- Define an exception for a specific signature. For example, you can search for a CVE and define an exception for it.For a parent signature, you can modify both the trigger conditions and the action; for a child signature you can modify the action only.
To effectively mitigate an attack, the
block-ip addressaction is recommended over the drop or reset action for most brute force signatures.
- Create a new Vulnerability Protection profile.
- Select.ObjectsSecurity ProfilesVulnerability Protection
- ClickAddand enter aNamefor the Vulnerability Protection profile.
- Create a rule that defines the action for all signatures in a category.
- SelectRules, clickAddand enter aNamefor the rule.
- Set theAction. In this example, it is set toBlock IP.
- (Optional) If blocking, specify whether to block based onHost Typeserver or client, the default is any.
- See Step 3 to customize the action for a specific signature.
- See Step 4 to customize the trigger threshold for a parent signature.
- ClickOKto save the rule and the profile.
- (Optional) Customize the action for a specific signature.
- SelectExceptionsand clickShow all signaturesto find the signature you want to modify.To view all the signatures in the brute-force category, search for (category contains 'brute-force').
- To edit a specific signature, click the predefined default action in theActioncolumn.
- Set the action toallow,alertorblock-ip.
- If you select block-ip, complete these additional tasks:
- Specify theTimeperiod (in seconds) after which to trigger the action.
- In theTrack Byfield, define whether to block the IP address byIP sourceor byIP source and destination.
- For each modified signature, select the check box in theEnablecolumn.
- Customize the trigger conditions for a parent signature.A parent signature that can be edited is marked with this icon: .In this example, the search criteria was brute force category and CVE-2008-1447.
- Click to edit the time attribute and the aggregation criteria for the signature.
- To modify the trigger threshold specify theNumber of Hitsperxseconds.
- Specify whether to aggregate the number of hits bysource,destinationor bysource and destination.
- Attach this new profile to a security rule.
- Modify an existing security policy rule orAdda new rule.
- In the Profile Setting section, set theProfile TypetoProfiles.
- Select the newly-createdVulnerability Protectionprofile.
- ClickOKto save changes to the security policy rule.
- Save your changes.