Blocking SSH brute-force attack with active response Use case

[Mouad Merioua]

hi i am trying to test this use case i followed the exact steps in the document , however when performing the attack i am getting a 2505 and 5710 rule-id alerts not the 5763 rule-id alerts and no active-response is executed i hope my question is clear , thanks in advance

[Nicolas Curioni]

Hello Mouad,

You can try implementing the PoC for brute force attack, and check if you see the same behavior. Please find below the related documentation:

• https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.html

If we take a closer look at the rules related to these events, we can see that rule 5710 is for a non-existent user, 5760 is for failed password, and 5763 is for the brute force attack itself:

In addition to this, you can check with the Ruleset tool, and check if the logs are triggering the proper rules. You can go to Wazuh > Tools > Ruleset test, and paste 10 logs for the failed login, in the first window. After that, click on Test:

Please find below the official documentation for this:

• https://documentation.wazuh.com/current/user-manual/ruleset/testing.html

I hope this helps.

Regards!

On Thu, May 23, 2024 at 5:51 AM Mouad Merioua <meriou...@gmail.com> wrote:

hi i am trying to test this use case i followed the exact steps in the document , however when performing the attack i am getting a 2505 and 5710 rule-id alerts not the 5763 rule-id alerts and no active-response is executed i hope my question is clear , thanks in advance

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5bda7d71-0395-4f28-856d-385747ce01den%40googlegroups.com.