Customizing MS.SQL.Login.Brute.Force

Forum|Forum|6 years ago
January 30, 2020
1 reply
2238 views

Hello,

I want to customize the MS.SQL.Login.Brute.Force signature to adjust the frecuency. The standard signature fires when 5 MS SQL login failures within a short period of time 1 second between a unique pair of hosts. I know that I have to create a custom signature, but I don't know as I have to find the pattern...

I have started with this rule...

F-SBID( --attack_id 7171; --name "My.MS.SQL.Login.Brute.Force"; --protocol TCP; --dst_port 1433; --flow from_client; --rate 5,1800; --track SRC_IP ; )

Somebody can help me, please?

Thanks

Hosemacht

Explorer

Hello,

try Rate Based Signature Feature "MySQL.Login.Brute.Force" there you can set threshhold and duration.

Regards

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded