# Brute force password crackers # All contexts in this ruleset should be prefixed with BRUTE_ # Suppress info and low events type=Suppress ptype=IDMEF pattern=assessment.impact.severity: (info|low) # Detect brute force attempt by address (1 of 2) # This rule looks for all classifications that match login or authentication # attempts, and creates a record of their idents, then resets the ident timer # to 600 seconds. type=Single ptype=IDMEF pattern=classification.text: [Ll]ogin|[Aa]uthentication; \ assessment.impact.completion: failed; \ source(0).node.address(0).address: (.*); \ target(0).node.address(0).address: (.*); \ messageid: (.+); \ analyzer(-1).analyzerid: (.*); \ analyzer(-2).analyzerid: (.*); continue=TakeNext desc=correlation_alert.alertident(>>).alertident=$3; \ correlation_alert.alertident(-1).analyzerid=%analyzerid; action=eval %analyzerid ("$4" || "$5"); \ add BRUTE_SOURCE_TARGET_$1_$2 %s; \ set BRUTE_SOURCE_TARGET_$1_$2 600 # Detect brute force attempt by address (2 of 2) # This rule looks for all classifications that match login or authentication # attempts, and detects when they exceed a certain threshold. It then uses # the ident context above to create an alert. type=SingleWithThreshold ptype=IDMEF continue=TakeNext pattern=classification.text: [Ll]ogin|[Aa]uthentication; \ assessment.impact.completion: failed; \ source(0).node.address(0).address: (.*); \ target(0).node.address(0).address: (.*); continue=TakeNext context=BRUTE_SOURCE_TARGET_$1_$2 desc=classification.text=Brute force attack; \ assessment.impact.severity=high; \ assessment.impact.description=Multiple failed attempts have been made to login to a user account; \ correlation_alert.name=Multiple failed login; \ additional_data(>>).data = ignore_atomic_event; action=add BRUTE_SOURCE_TARGET_$1_$2 %s; \ copy BRUTE_SOURCE_TARGET_$1_$2 %CONTENT; \ prelude %CONTENT; \ delete BRUTE_SOURCE_TARGET_$1_$2 thresh=10 window=600 # Detect brute force attempt by user (1 of 2) # This rule looks for all classifications that match login or authentication # attempts, and creates a record of their idents, then resets the ident timer # to 600 seconds. type=Single ptype=IDMEF pattern=classification.text: [Ll]ogin|[Aa]uthentication; \ assessment.impact.completion: failed; \ target(0).user.user_id(0).name: (.*); \ messageid: (.+); \ analyzer(-1).analyzerid: (.*); \ analyzer(-2).analyzerid: (.*); continue=TakeNext desc=correlation_alert.alertident(>>).alertident=$2; \ correlation_alert.alertident(-1).analyzerid=$3$4; action=add BRUTE_USER_$1 %s; \ set BRUTE_USER_$1 600 # Detect brute force attempt by user (2 of 2) # This rule looks for all classifications that match login or authentication # attempts, and detects when they exceed a certain threshold. It then uses # the ident context above to create an alert. type=SingleWithThreshold ptype=IDMEF continue=TakeNext pattern=classification.text: [Ll]ogin|[Aa]uthentication; \ assessment.impact.completion: failed; \ target(0).user.user_id(0).name: (.*) continue=TakeNext context=BRUTE_USER_$1 desc=classification.text=Brute force attack; \ assessment.impact.severity=high; \ assessment.impact.description=Multiple failed attempts have been made to login to a user account; \ correlation_alert.name=Multiple failed login; \ additional_data(>>).data = ignore_atomic_event; action=add BRUTE_USER_$1 %s; \ copy BRUTE_USER_$1 %CONTENT; \ prelude %CONTENT; \ delete BRUTE_USER_$1 thresh=30 window=600