Wazuh SMB Brute Force Alert.
200 views
Skip to first unread message
Efe Körün
Aug 18, 2024, 11:58:47 PM8/18/24
to Wazuh | Mailing List
Hi,
I am new at the wazuh and i am trying to configure a alert that sends alerts when someone tries to smb brute force attack to the agent.
I made research a lot but could not find that much thing.
Can you guys help me?
Which ruleset should i add to manager and which conf should i add to the agent
Lamya Imam
Aug 19, 2024, 1:01:41 AM8/19/24
to Wazuh | Mailing List
Hello Efe Körün,
At first, we need to confirm that the attempt to smb brute force logs are reaching the Wazuh manager, by enabling the Wazuh archive logs on the Wazuh manager.
To enable archives.json log, set the <logall_json>yes</logall_json> to yes at /var/ossec/etc/ossec.conf file.
This option will allow you to see all the events the Wazuh server monitors in the /var/ossec/logs/archives/archives.json file.
After setting this option, restart the manager and check the archives.json file.
Use grep parameters to look for related logs:
cat /var/ossec/logs/archives/archives.json | grep Keywoard
Note: Remember to disable the logall_json parameters once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
After that, we recommend creating custom decoders and custom rules based on archives.json log because in these logs we can see the field full_log, which is the one being parsed by analysis.
You can also check out this blog about creating decoders and rules from scratch:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Additionally, for reference I am sharing this documentation about Detecting a brute-force attack for services like SSH on Linux endpoints and RDP on Windows endpoints:
https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.html#detecting-a-brute-force-attack
Let me know if you need further assistance on this!
At first, we need to confirm that the attempt to smb brute force logs are reaching the Wazuh manager, by enabling the Wazuh archive logs on the Wazuh manager.
To enable archives.json log, set the <logall_json>yes</logall_json> to yes at /var/ossec/etc/ossec.conf file.
This option will allow you to see all the events the Wazuh server monitors in the /var/ossec/logs/archives/archives.json file.
After setting this option, restart the manager and check the archives.json file.
Use grep parameters to look for related logs:
cat /var/ossec/logs/archives/archives.json | grep Keywoard
Note: Remember to disable the logall_json parameters once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
After that, we recommend creating custom decoders and custom rules based on archives.json log because in these logs we can see the field full_log, which is the one being parsed by analysis.
You can also check out this blog about creating decoders and rules from scratch:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Additionally, for reference I am sharing this documentation about Detecting a brute-force attack for services like SSH on Linux endpoints and RDP on Windows endpoints:
https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.html#detecting-a-brute-force-attack
Let me know if you need further assistance on this!
Reply all
Reply to author
Forward
0 new messages