Back to All Scenarios
PASSEDsecurity / brute_force
SSH Brute Force Attack from Single IP
A single IP address is attempting SSH brute force login with 500+ attempts per minute. fail2ban is not installed. Root login is permitted.
Pattern
SERVER_ERROR
Expected: BRUTE_FORCE_ATTACK
Severity
HIGH
Confidence
55%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | BRUTE_FORCE_ATTACK | SERVER_ERROR | |
| Severity Assessment | CRITICAL | HIGH | |
| Incident Correlation | N/A | None | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
Ubuntu 22.04. SSH on port 22. fail2ban not installed. PermitRootLogin yes. Source IP: 185.220.101.34. 500 attempts/min. auth.log growing rapidly.
Injected Error Messages (1)
SSH brute force attack — 500 failed login attempts per minute from 185.220.101.34, attempting root/admin/user accounts, auth.log growing 100MB/hour, fail2ban not installed, PermitRootLogin yes
Neural Engine Root Cause Analysis
Server error detected — the application is returning 5xx errors, indicating a crash, unhandled exception, or backend failure.
Remediation Plan
Check application logs for unhandled exceptions. Restart the service if crashing. Review recent deployments for regressions.
Improvements Applied
- Pattern classified as SERVER_ERROR (expected BRUTE_FORCE_ATTACK)
- Severity: HIGH (expected CRITICAL)
Tested: 2026-04-02Monitors: 1 | Incidents: 1Test ID: cmnhnoo5z0011lig7a36bob5b