I need to create a bruteforce alert

[Farshin Hashim]

Hi,

I'm new in wazuh, i need ro create bruteforce alerts. Currently i'm logs for the same, but i need to create a Bruteforce alert for 5 Consecutive failed logins in one min as the threshold for the alert. 

[hasitha.u...@wazuh.com]

Hi  Farshin,

It would be great if you can share the sample log to achieve your rule creation issue.

Further you can follow this guide. This will provide you steps to detect example brute force attacks.
https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.html#detecting-a-brute-force-attack
Example rule:
You can create custom rules in /var/ossec/etc/rules/local_rules.xml or you can create new XML file in that directory and apply rules.
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

<group name="Test_Brute_fource,">

<rule id="100020" level="7">
     <if_sid>xxxx</if_sid>
    <match>logon failed<match>
    <description>Login failed.</description>
</rule>

 <rule id="100021" level="12" frequency="5" timeframe="60">
    <if_matched_sid>100020</if_matched_sid>
    <same_source_ip />
    <description>Brute force attack.</description>
</rule>

</group>

To learn about frequency and timeframe you can follow this guide.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-matched-sid

Let me know if this helps. 

Regards,
Hasitha Upekshitha

[Farshin Hashim]

Hi Hasitha,

This rule is already created but I need to create an alert for this rule in the alerting dashboard later on i will do it as email alerts. 

To make it simple, I need to configure an alert if this log is created.

[Farshin Hashim]

FYI this is the rule I've created

<group name="Bruteforce Test">

  <rule id="100002" level="10">

   <if_sid>60204</if_sid>

   <if_matched_group>authentication_failed</if_matched_group>

   <description>brute force trying to get access to the system. Non existent user.</description>

   <mitre>

      <id>T1110</id>

    </mitre>

  </rule>

  

  <rule id="100003" level="12" frequency="5" timeframe="60">

    <if_matched_sid>100002</if_matched_sid>

    <same_source_ip />

    <description>Bruteforce Attack Detected</description>

  </rule>

 

</group>

[hasitha.u...@wazuh.com]

Hi  Farshin,

Instead of the current rules you’ve created, I suggest adding this rule to meet your requirements. You can place it in the /var/ossec/etc/rules/local_rules.xml file:

<group name="windows,windows_security,">

  <rule id="60204" level="12" frequency="5" timeframe="60" overwrite="yes">      
    <if_matched_group>authentication_failed</if_matched_group>  
    <same_field>win.eventdata.ipAddress</same_field>  
    <options>no_full_log</options>  

    <description>Bruteforce Attack Detected</description>  

    <mitre>  
      <id>T1110</id>  
    </mitre>  

 <group>authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>  
  </rule>

</group>

This rule will trigger an alert when Windows logon failures are detected. If 5 failed logon attempts from the same IP address are logged within 60 seconds and match the authentication_failed group, this rule will generate an alert for a potential brute-force attack.
Ref: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules

If you need further assistance, Please share the sample logs to check further your issue.
You can find from the alerts.json file.
cat /var/ossec/logs/alerts/alerts.json | grep -i -E "<part_of_the_log>"

Let me know if this helps!

Regards,
Hasitha Upekshitha