Customize the Action and Trigger Conditions for a Brute Force Signature
The firewall includes two types of predefined brute force signatures—parent signature and child signature. A child signature is a single occurrence of a traffic pattern that matches the signature. A parent signature is associated with a child signature and is triggered when multiple events occur within a time interval and match the traffic pattern defined in the child signature.
Typically, a child signature is of default action allow because a single event is not indicative of an attack. In most cases, the action for a child signature is set to allow so that legitimate traffic is not blocked and threat logs are not generated for non-noteworthy events. Therefore, Palo Alto Networks recommends that you only change the default action after careful consideration.
In most cases, the brute force signature is a noteworthy event because of its recurrent pattern. If you would like to customize the action for a brute-force signature, you can do one of the following:
Create a rule to modify the default action for all signatures in the brute force category. You can define the action to allow, alert, block, reset, or drop the traffic. Define an exception for a specific signature. For example, you can search for a CVE and define an exception for it.
For a parent signature, you can modify both the trigger conditions and the action; for a child signature you can modify the action only.
To effectively mitigate an attack, the block-ip address action is recommended over the drop or reset action for most brute force signatures.
Customize the Threshold and Action for a Signature
Create a new Vulnerability Protection profile. Select Objects > Security Profiles > Vulnerability Protection. Click Add and enter a Name for the Vulnerability Protection profile.
Create a rule that defines the action for all signatures in a category. Select Rules, click Add and enter a Name for the rule. Set the Action. In this example, it is set to Block IP. Set Category to brute-force. (Optional) If blocking, specify whether to block based on Host Type server or client, the default is any. See Step 3 to customize the action for a specific signature. See Step 4 to customize the trigger threshold for a parent signature.
Click OK to save the rule and the profile.
(Optiona l) Customize the action for a specific signature. Select Exceptions and click Show all signatures to find the signature you want to modify. To view all the signatures in the brute-force category, search for (category contains 'brute-force'). To edit a specific signature, click the predefined default action in the Action column.
Set the action to allow, alert or block-ip. If you select block-ip, complete these additional tasks: Specify the Time period (in seconds) after which to trigger the action. In the Track By field, define whether to block the IP address by IP source or by IP source and destination. Click OK. For each modified signature, select the check box in the Enable column. Click OK.
Customize the trigger conditions for a parent signature. A parent signature that can be edited is marked with this icon: . In this example, the search criteria was brute force category and CVE-2008-1447. Click to edit the time attribute and the aggregation criteria for the signature. To modify the trigger threshold specify the Number of Hits per x seconds. Specify whether to aggregate the number of hits by source, destination or by source and destination. Click OK.
Attach this new profile to a security rule. Select Security > Policies. Modify an existing security policy rule or Add a new rule. Select Actions. In the Profile Setting section, set the Profile Type to Profiles. Select the newly-created Vulnerability Protection profile. Click OK to save changes to the security policy rule.
Save your changes. Click Commit.

Related Documentation