Wazuh Custom Rule

[Aamir Mustafa]

Hi,
I'm trying to create a new rule for my Wazuh installation that triggers an event when 3 or more failed SSH Login attempts for a user are made to same machine in an hour.

So far, I've been able to write the following rule:

  <rule id="150020" level="12" frequency="3" timeframe="36000">
    <if_matched_sid>5716</if_matched_sid>
    <same_user/>
    <description>Repeated Failed Login Attempts Detected.</description>
  </rule> 

There is an issue with this rule. It triggers an alert even if SSH attempts for same username were made on different machines. Can anyone help me out with completing the rule? I've tried to use 'predecoder.hostname' in <same_field> label but as far as I understand, <same_field> can only be used with dynamic fields and predecoder.hostname is a static field.

Following are the log lines for testing:

Feb  3 19:43:19 test-machine-7040 sshd[12373]: Failed password for test from 192.168.110.164 port 3168 ssh2
Feb  3 19:44:00 test-machine-7040 sshd[12373]: Failed password for test from 192.168.110.164 port 3168 ssh2

Feb  3 19:44:47 test-machine-7040 sshd[12373]: Failed password for test from 192.168.110.164 port 3168 ssh2

Feb  3 19:45:08 test-machine-7040 sshd[12373]: Failed password for test from 192.168.110.164 port 3168 ssh2

[John Soliani]

Hello,

Thank you for using Wazuh!

First of all, bear in mind this is a public post! Please remove sensible data.

To solved this, I used logtest tool to check the decoder’s data. This is what we get (/var/ossec/bin/wazuh-logtest):

Phase 1: Completed pre-decoding.
full event: ‘Mar 8 20:08:10 AIOCen8-60 sshd[18146]: Failed password for john from 192.168.11.54 port 57534 ssh2’
timestamp: ‘Mar 8 20:08:10’
hostname: ‘AIOCen8-60’
program_name: ‘sshd’
log: ‘Failed password for john from 192.168.11.54 port 57534 ssh2’

Phase 2: Completed decoding.
decoder: ‘sshd’
dstuser: ‘john’
srcip: ‘192.168.11.54’
srcport: ‘57534’

Phase 3: Completed filtering (rules).
Rule id: ‘5716’
Level: ‘5’
Description: ‘sshd: authentication failed.’
Alert to be generated.

As we can see, the agent is reporting this:

• dstuser (user)
• srcip (from where the attempt was made)
• srcport(using this port)

With this information I modified your rule like this:

<rule id="150020" level="12" frequency="3" timeframe="3600">
    <if_matched_sid>5716</if_matched_sid>
    <same_user />
    <same_srcip />
    <description>SSH brute-force detection: IP:$(srcip) failed 3 times in less than 1h to connect with user: $(dstuser).</description>
  </rule>

And here are the results with logtest after pasting 3 logs with same srcip and same dstuser:

Phase 1: Completed pre-decoding.
full event: ‘Mar 8 20:08:10 AIOCen8-60 sshd[18146]: Failed password for john from 192.168.11.54 port 57534 ssh2’
timestamp: ‘Mar 8 20:08:10’
hostname: ‘AIOCen8-60’
program_name: ‘sshd’
log: ‘Failed password for john from 192.168.11.54 port 57534 ssh2’

Phase 2: Completed decoding.
decoder: ‘sshd’
dstuser: ‘john’
srcip: ‘192.168.11.54’
srcport: ‘57534’

Phase 3: Completed filtering (rules).
Rule id: ‘150020’
Level: ‘12’
Description: ‘SSH brute-force detection: IP:192.168.11.54 failed 3 times in less than 1h to connect with user: john.’
Alert to be generated.

Check other rules options here: Rule Syntax.

Hope this helps,
John.-

​