Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dave
Contributor
Jump to solution

Detected brute force scanning of cifs ports

IPS got triggered a dozen times for this protection and i think to know what's behind it, although i'm not sure how to resolve this.

I might believe this is due to a host(s) that starts multiple sessions to copy/write on the SAN, which has many different nodes that is written to, concurrently.

The screenshot shows the different nodes being written to. I left the last octet of the noes visible for you to see.

I could make an IPS exception for the that specific source, which than ignores this IPS signature but i'm afraid i would miss the moment a potential real brute force scan is being executed.

How to resolve this issue in the best way possible?

 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

The Confidence of that signature is Low, which should tell you all you need to know.  My guess is that your server is using at least SMB 3.0 which introduced MultiChannel that allows multiple connections for a single SMB session.  This probably appears as a set of rapid-fire connections that look similar to a port scan.

There don't seem to be any tunable parameters for this signature as far as sensitivity, so your best bet is to create an exception in Inactive mode straight from the log card, and make it as specific as possible.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

2 Replies
Timothy_Hall
Legend Legend
Legend

The Confidence of that signature is Low, which should tell you all you need to know.  My guess is that your server is using at least SMB 3.0 which introduced MultiChannel that allows multiple connections for a single SMB session.  This probably appears as a set of rapid-fire connections that look similar to a port scan.

There don't seem to be any tunable parameters for this signature as far as sensitivity, so your best bet is to create an exception in Inactive mode straight from the log card, and make it as specific as possible.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Dave
Contributor

Thanks for your insights.

As a result, i created a very specific exception for this, which resolved the false positive.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events