Problem with detecting brute force attacks on HTTP in Wazuh
rihab benabdelaziz
Hello everyone,
I'm having trouble with Wazuh detecting brute force attacks on the HTTP protocol. Repeated failed login attempts are being labeled as reconnaissance instead of attacks.
Do I need to add or change something in the Wazuh configuration (in the ossec.conf file) to better detect and classify these as brute force attacks?
Any suggestions or advice would be greatly appreciated!
Thank you in advance for your help!
Stuti Gupta
Wazuh identifies brute-force attacks by correlating multiple authentication failure events. The section on Blocking attacks with Active Response (https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/blocking-ssh-brute-force.html) describes how to configure an active response to block the IP address of an attacker.
You can refer https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.htmlto we show how Wazuh detects brute-force attacks on RHEL and Windows endpoints.
Wazuh comes with a set of default scripts used in active response. These scripts are located in the /var/ossec/active-response/bin/ directory on Linux/Unix endpoints. The firewall-drop active response script works with Linux/Unix operating systems. It uses iptables to block malicious IP addresses.
Add the <active-response> block below to the Wazuh server /var/ossec/etc/ossec.conf configuration file:
<ossec_config>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5763</rules_id>
<timeout>180</timeout>
</active-response>
</ossec_config>
The active response module executes the command if rule ID 5763 - SSHD brute force trying to get access to the system fires. n rule 5763 below, the rule will be ignored for 60 seconds even if more requests come in. You can change this value depending on your environment or add it to other brute-force rules.
<rule id="5763" level="10" frequency="8" timeframe="120" ignore="60">
<if_matched_sid>5760</if_matched_sid>
<same_source_ip/>
<description>sshd: brute force trying to get access to the system. Authentication failed.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Hope this helps
rihab benabdelaziz
Thank you for the details. For SSH, it works well, and I receive alerts like "brute force trying to get access to the system. Authentication failed."
However, for the HTTP protocol, the alerts are not the same. As you can see in the screenshot, I only get an alert saying "Multiple web server 400 error codes from same source IP." It seems like HTTP attempts are categorized differently and are not detected as brute force attacks.
Do you have any suggestions on how to configure Wazuh to better detect brute force attacks on HTTP, similar to how it works for SSH?
Stuti Gupta
You can achieve this by rule and wazuh have rule for these :
<rule id="31151" level="10" frequency="14" timeframe="90">
<if_matched_sid>31101</if_matched_sid>
<same_source_ip />
<description>Multiple web server 400 error codes </description>
<description>from same source ip.</description>
<group>web_scan,recon,pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0245-web_rules.xml
Now in a same wazuh, you can create a script for http brute force attacks and Add the <active-response> block below to the Wazuh server /var/ossec/etc/ossec.conf configuration file:
<ossec_config>
<active-response>
<command><script name></command>
<location>local</location>
<rules_id> 31151, 31101 </rules_id>
<timeout>180</timeout>
</active-response>
</ossec_config>
For custom script, you can refer to https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html
Hope this heps