Repeated failed logins or possible denial of service attack
The Security Incidents: repeated failed logins or possible denial of service
attack
template looks for repeated failed logins or possible denial of service attacks for
both database and administrative users.
Many rules include the MARK SESSION action, which sets the trust for this session to LOW and
generates an exception in the Security Incidents report.
Note: The security incident policies
analyze authentication methods, but do not log or analyze passwords.
The Security Incidents: repeated failed logins or possible denial of service
attack
template contains the following rules:
- Populate analyzed client IP if both client IP and analyzed client IP are empty
- This rule uses a TRANSFORM action to move the IP address from HOST NAME to ANALYZED_CLIENT_IP.
- Populate analyzed client IP if both client IP and analyzed client IP are empty and session identified as local
- This rule uses a TRANSFORM action to move the IP address from SERVER IP to ANALYZED_CLIENT_IP.
- Repeated failed login per Actual client IP and user (5 in 3 minutes)
- This rule generates a security incident for repeated failed log-ins.
- Possible denial of service attack (20 in 1 minute)
- A shared machine used as a client for multiple users can indicate a denial of service (DOS) attack and generates a security incident.
- Possible admin user denial of service attack (20 in 1 minute)
- A shared machine used as a client for multiple users can indicate a denial of service (DOS) attack and generates a security incident.