ftp attack not detected
I had 600,000 login attempts on my FTP server over a 16 hour period from the same IP address, approximately 9 login attempts a second. Attack blocker didn't report anything. During that same time there was one IP address assigned a reputation value of 61.6 that sent 33 emails over a 2 minute span. Is something Attack Blocker should catch?
Did you have SID 491 (FTP Bad Login, category "info") set to block in Intrusion Prevention, or any of the FTP category blocks? As far as Attack Blocker, if it got a reputation, it did catch the emailer and probably slowed them down...look at the other columns in that event. If they were going out to a port 25, I would have had that blocked in the first place. Emails wouldn't have been sent and you would have had a log of were it came from. Attack Blocker already told you that though with the entry you mentioned.
Posting Permissions
LinkBack URL
About LinkBacks