Re: Brute force question

223 views
Skip to first unread message
Message has been deleted

Openime Oniagbi

unread,
May 7, 2024, 5:20:19 AM5/7/24
to Wazuh | Mailing List

Hi Matthias,

Yes, Wazuh detects brute force attacks against endpoints monitored by the Wazuh agent.

A brute-force use case is explained in our Proof of concept documentation on Detecting a brute-force attack.

As you can see in the documentation, the simulated attack is detected by the rule with ID 5551. This rule is located on the Wazuh server at /var/ossec/ruleset/rules/0085-pam_rules.xml. Wazuh uses this rule and all the other rules in the /var/ossec/ruleset, along with the custom rules, to detect threats and generate alerts.

In the case of rule 5551, the threshold is set using the frequency and timeframe labels.

<rule id="5551" level="10" frequency="8" timeframe="180"> <if_matched_sid>5503</if_matched_sid> <same_source_ip /> <description>PAM: Multiple failed logins in a small period of time.</description> <mitre> <id>T1110</id> </mitre> <group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> </rule>

This means the rule will be triggered when there are 8 failed login events in 3 minutes (180 seconds).

You can change these built-in thresholds by following the instructions in this documentation.

On Tuesday, May 7, 2024 at 11:52:58 AM UTC+3 Matthias Appelmans wrote:
Hi all,

I have a question regarding a use case


When you bruteforce an agent watched by Wazuh, it detects this right?

How does it detect this? What is the intelligence behind this? is there an option to change the amount of requests it needs to trigger the alert for a brute force?

Kind regards
Matthias Appelmans
Message has been deleted

Openime Oniagbi

unread,
May 7, 2024, 10:50:26 AM5/7/24
to Wazuh | Mailing List

Hi Matthias,

If you get 1000 requests in 180 seconds, you will get 125 alerts for the rule I quoted in my previous response. However, Wazuh has an ignore option that you can use to instruct the analysis engine to ignore a rule for a specified period. For example, in rule 5763 below, the rule will be ignored for 60 seconds even if more requests come in. You can change this value depending on your environment or add it to other brute-force rules.

<rule id="5763" level="10" frequency="8" timeframe="120" ignore="60"> <if_matched_sid>5760</if_matched_sid> <same_source_ip/> <description>sshd: brute force trying to get access to the system. Authentication failed.</description> <mitre> <id>T1110</id> </mitre> <group>authentication_failures,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> </rule>
On Tuesday, May 7, 2024 at 2:13:21 PM UTC+3 Matthias Appelmans wrote:
Hi Openime,

Let's say we get 1000 requests in 180 seconds, will this configuration generate 1 alert, or will it generate 125 alerts? Does wazuh have intelligence to reduce noise?

Op dinsdag 7 mei 2024 om 11:20:19 UTC+2 schreef Openime Oniagbi:
Reply all
Reply to author
Forward
0 new messages