Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dave
Participant

Detected brute force scanning of cifs ports

Jump to solution

IPS got triggered a dozen times for this protection and i think to know what's behind it, although i'm not sure how to resolve this.

I might believe this is due to a host(s) that starts multiple sessions to copy/write on the SAN, which has many different nodes that is written to, concurrently.

The screenshot shows the different nodes being written to. I left the last octet of the noes visible for you to see.

I could make an IPS exception for the that specific source, which than ignores this IPS signature but i'm afraid i would miss the moment a potential real brute force scan is being executed.

How to resolve this issue in the best way possible?

 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

The Confidence of that signature is Low, which should tell you all you need to know.  My guess is that your server is using at least SMB 3.0 which introduced MultiChannel that allows multiple connections for a single SMB session.  This probably appears as a set of rapid-fire connections that look similar to a port scan.

There don't seem to be any tunable parameters for this signature as far as sensitivity, so your best bet is to create an exception in Inactive mode straight from the log card, and make it as specific as possible.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

2 Replies
Timothy_Hall
Champion
Champion

The Confidence of that signature is Low, which should tell you all you need to know.  My guess is that your server is using at least SMB 3.0 which introduced MultiChannel that allows multiple connections for a single SMB session.  This probably appears as a set of rapid-fire connections that look similar to a port scan.

There don't seem to be any tunable parameters for this signature as far as sensitivity, so your best bet is to create an exception in Inactive mode straight from the log card, and make it as specific as possible.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

Dave
Participant

Thanks for your insights.

As a result, i created a very specific exception for this, which resolved the false positive.

0 Kudos