Common Block Reasons and Solutions
- Joshua Drummond
- Alireza Ghanavati
| Block Reason | Explaination | Possible Solution |
|---|---|---|
| SCAN: TCP Port Scan(8001) | The compromised computer or the attacker scans many TCP ports on a single target computer to determine open ports. This is called reconnaissance attack. | The computer might be infected with a malware or compromised by an attacker. It needs to be scanned with an anti-malware solution and possibly re-image the system. |
| SCAN: Host Sweep(8002) | The compromised computer or the attacker scans a range of IP addresses to identify live hosts in a short period of time | The computer might be infected with a malware or compromised by an attacker. It needs to be scanned with an anti-malware solution and possibly re-image the system. |
| SCAN: UDP Port Scan(8003) | The compromised computer or the attacker scans many TCP ports on a single target computer to determine open ports. This is called reconnaissance attack. | The computer might be infected with a malware or compromised by an attacker. It needs to be scanned with an anti-malware solution and possibly re-image the system. |
| WordPress Login Brute Force Attempt(40044) | This event indicates that someone is using a brute force attack to gain access to WordPress wp-login.php. The brute force signature looks for(by default) 10 or more triggers of child signature TID: 37480 in 60 seconds. The child signature is looking for access attempts to wp-login.php. | The computer might be compromised by an attacker or infected with a malware. It needs to be scanned with an anti-malware solution and possibly re-image the system. |
| SSH2 Login Attempt(31914) | This signature indicates that a computer or someone is doing many SSH2 login attempts in a short period of time targeted a wide range of IP addresses. | The computer might be compromised by an attacker or infected with a malware. It needs to be scanned with an anti-malware solution and possibly re-image the system. Sometimes this signature creates a false positive. For example the computer needs to access many IP addresses periodically using SSH. |
| SSH User Authentication Brute Force Attempt(40015) | If a session has the same source and destination but triggers SSH2 Login Attempt(31914), 20 times in 60 seconds, we call it is a brute force attack. SSH2 Login Attempt(31914) is alert on every connection on ssh server. | The computer might be compromised by an attacker or infected with a malware. It needs to be scanned with an anti-malware solution and possibly re-image the system. Sometimes this signature creates a false positive. For example the computer needs to access many IP addresses periodically using SSH. |