Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

[ES] Explanation of the mechanism for displaying the source IP of brute force attacks as anonymous IP.

Posted
Updated
Byadmin
Views1

Problem Description

ES alerts of brute force attack, but the source IP appears as anonymous, making it impossible to trace the actual source.

Alarm Information

Solution

Version 3.2.21 has made changes to the brute force display mechanism. ES brute force detection is based on Windows system security logs and Linux login logs. By analyzing login records and matching threshold values, it determines whether there is a brute force attack. Starting from version 3.2.21, logs without source IP will be analyzed and displayed as anonymous IP in the brute force records, with the source described as 0.0.0.0 in the details.

Original Link

https://support.sangfor.com.cn/cases/list?product_id=16&amp;type=1&amp;category_id=2661&amp;isOpen=true