Threshold for an specified rule

[Valton T.]

How

how can i add an threshold for an specified rule in wazuh for ossec.conf of manager.

please let me know i kinda need it urgent!

[Federico Damian Lo Iacono]

Hi Valton. Thank you for choosing Wazuh.

Could you please specify which rule needs the threshold? That way we can know the threshold criteria and work in a better suited solution.

Thanks!

[Valton T.]

Hi , Federico

 the SSH bruteforce rules 

Linux - rule.id:(5551 OR 5712). Other related rules are 5710, 5711, 5716, 5720, 5503, 5504.

[Federico Damian Lo Iacono]

OK! Do you need to change the failed login threshold before the rule is matched (and therefore, an event is fired)?

[Valton T.]

after 10login attempts alert each attemps, rule but after 10login attempts total trigger active-response(firewall-drop)

[Federico Damian Lo Iacono]

So, if I understood, you want to:

• Change the frequency from 8 (the default) to 10
• After the 10th failed attempt, perform a firewall-drop

Is that right?

Thanks in advance.

[Valton T.]

Yes exactly 

[Federico Damian Lo Iacono]

Sorry for the wait Valton.

In order to change the frequency, you need to change the existing rules. It would look like this:

/var/ossec/ruleset/rules/0085-pam_rules.xml

...
<rule id="5551" level="10" frequency="10" timeframe="180" overwrite="yes">
<if_matched_sid>5503</if_matched_sid>
<same_source_ip />
<description>PAM: Multiple failed logins in a small period of time.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

</rule>

...

---

/var/ossec/ruleset/rules/0095-sshd_rules.xml

...
<rule id="5712" level="10" frequency="10" timeframe="120" ignore="60" overwrite=10>
<if_matched_sid>5710</if_matched_sid>
<same_source_ip />
<description>sshd: brute force trying to get access to the system. Non existent user.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> </

</rule>

...

... and so on. Notice how, apart from changing the "frequency" value to 10 (the desired value), it's necessary to add the 'overwrite: "yes"' parameter inside the section definition, in order to indicate that this rule is overwriting an already existing rule. You can read more about it here.

Regarding the triggering of firewall-drop, you can define an active response that triggers with any of the bruteforce-related rules. To do so, add the following section to /var/ossec/etc/ossec.conf in your manager:

/var/ossec/etc/ossec.conf

...

<active-response>

  <command>firewall-drop</command>

  <location>all|local|defined-agent|manager</location>

  <rules_id>5551,5712,...</rules_id>

</active-response>

...

You can configure this active-response however you like. Notice how, in the <rules_id> section, I added a comma-separated list of the relevant rules that would trigger the firewall-drop command, but you can also specify a <rules_group> section with the authentication_failed|authentication_failures value, which would include all the bruteforce rules that are already defined.

You can read more about active-response here and here.

Regards,

Federico.

[Valton T.]

Hi,

Thank you very much! it really helped !