How to configurations alerts rule 5503
126 views
Skip to first unread message
Le Sok
Dec 28, 2023, 4:29:40 AM12/28/23
to Wazuh | Mailing List
Hello team,
I want to configuration this alerts to show IP address who login to this server.
Wazuh Notification.
2023 Dec 28 15:45:44
Received From: (OpenAPIAPP) any->/var/log/auth.log
Rule: 5503 fired (level 10) -> "PAM: User login failed."
User: root
Portion of the log(s):
Dec 28 08:45:44 openapi su: pam_unix(su:auth): authentication failure; logname=openapi uid=1000 euid=0 tty=/dev/pts/1 ruser=openapi rhost= user=root
logname: openapi
uid: 1000
euid: 0
tty: /dev/pts/1
If alerts like that I don't know who is try to login to my server please help me
Best regards.
Leandro David Sayanes
Dec 28, 2023, 9:45:29 AM12/28/23
to Wazuh | Mailing List
Hi lesok2504!
Here you have more information about it:
The source IP address information is typically found in the log message itself, and you can use a custom regex pattern to extract it:
<rule id="5503" level="10">
<if_sid>530</if_sid>
<regex>authentication failure.*rhost=([^ ]+)</regex>
...
</rule>
<rule id="5503" level="10">
<if_sid>530</if_sid>
<regex>authentication failure.*rhost=([^ ]+)</regex>
...
</rule>
Here you have more information about it:
You can run the command line tool /var/ossec/bin/wazuh-logtest to test the rule:
If that is not possible, to capture the source IP address during a failed login attempt, you may have to use a different approach, we have this that might be useful:
I hope this help you!
If that is not possible, to capture the source IP address during a failed login attempt, you may have to use a different approach, we have this that might be useful:
I hope this help you!
Le Sok
Dec 28, 2023, 11:22:58 PM12/28/23
to Wazuh | Mailing List
Hello sir,
I try to configuration like you but it's not working sir
<regex>authentication failure.*rhost=([^ ]+)</regex>
<match>authentication failure; logname=</match>
<description>PAM: User login failed.</description>
<mitre>
<id>T1110.001</id>
</mitre>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
I try to configuration like you but it's not working sir
<rule id="5503" level="10">
<if_sid>5500</if_sid><regex>authentication failure.*rhost=([^ ]+)</regex>
<description>PAM: User login failed.</description>
<mitre>
<id>T1110.001</id>
</mitre>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Best regards.
Leandro David Sayanes
Dec 29, 2023, 9:34:41 PM12/29/23
to Wazuh | Mailing List
Hello lesok2504!
I suggested you to use regex in case in the registry entries the IP was found, but the sample line in the image, rhost is empty...
I think that is the reason why regex does not work.
Have you had a look at this?
Reply all
Reply to author
Forward
0 new messages