Hi all,
I did some extensive testing and I think there was some misconception on my part.
There are two types of Brute Force detection within ASM. One would be the session based detection where just the failed logon attempts from a single IP/session are counted within a certain time frame. This the one I provoked in my earlier tests and such attempts are logged with violations mentioned above in the request log.
But those session-based violations do not appear in the Brute Force logs or reports.
Then there is the dynamic Brute Force detection that's focuses not on a single client or session but monitors the logon events for the destination / login page.
So after some tampering with the detection parameters I was able to provoke such dynamic Brute Force attempts as well. And for those it seems to be the other way around. Those detected dynamic events show up in the Brute Force logs and reports, complete with a start and end time of the attack. But they are not logged in the request log and don't have a violation assigned.
So it seems like you would have to run two different reports for a complete Brute Force overview
1) for session-based one could use the application traffic overview under
Security>>Overview:Application:Traffic
and filter for Brute Force violation or attack. This will not contain any of the dynamice stuff, just the attempts that triggered a violation.
2) for dynamic Brute Force attempts use
Security>>Event Logs:Application:Brute Force Attacks or
Security>>Reporting:Application:Brute Force Attacks
I'm still not a hundred percent sure whether this is the expected behavior because the manual says
"...
Before you can look at the brute force attack statistics, you need to have configured session-based or dynamic brute force protection.
..."
And it obviously doesn't do anything for session-based detection.
It would still be nice to get a definitive answer on this. But that's how it looks for me at the moment.
Kind Regards,
gha
Nimbostratus
