Rule for monitoring if same user fails to login in two systems.

[Nauris Metlans]

Hello,

I want to trigger an alert if the same user had failed to login in two systems in time frame 120sec, the rules looks like this:

<rule id="200030" level="10">
  <match>login failure</match>
  <description>User failed to login.</description>
  <group>access_control,authentication_failed</group>
</rule>
<rule id="200040" level="10" timeframe="120">
  <if_matched_sid>5710</if_matched_sid>
  <if_sid>200030</if_sid>
  <same_srcuser />
  <description>Multiple login failures was triggered by same user.</description>
  <group>access_control,authentication_failed</group>
</rule>
</group>

And I try to login with the same user to both systems, rules 5710 and 200030 shows as worked, but rule 200040 does not show in alerts. 

[Julia Magán Rodríguez]

Hello,

For this case, instead of using match, I recommend you to use if_group, this way you can check different types of failed logins. For example, I have used:

  <rule id="200030" level="10">
    <if_group>invalid_login</if_group>
    <description>The user was unable to login.</description>
    <group>access_control,authentication_failed</group>
  </rule>

If we try a log of a failed login with wazuh-logtest we can see:

Oct 15 21:07:56 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18.18 port 48928

**Phase 1: Pre-decoding completed.
    event complete: 'Oct 15 21:07:56 linux-agent sshd[29205]: 'Invalid user blimey from 18.18.18.18.18 port 48928'
    timestamp: 'Oct 15 21:07:56'
    hostname: 'linux-agent'
    program_name: 'sshd'

**phase 2: Decryption completed.
    name: 'sshd
    parent: 'sshd
    srcip: '18.18.18.18.18
    srcport: '48928'
    srcuser: 'blimey'

**Phase 3: Filtering completed (rules).
    id: '200030'
    level: '10
    description: 'User could not log in.'
    groups: '['local', 'syslog', 'sshd', 'access_control', 'authentication_failed']'
    trigger times: '1'
    mail: 'False'
**alert to generate.

The next rule would be:

  <rule id="200040" level="10" timeframe="120">
    <if_matched_sid>200030</if_matched_sid>
    <same_srcuser />
    <description>Multiple login failures were triggered by the same user$.
    <group>access_control,authentication_failed</group>
  </rule>

if_matched_sid is similar to if_sid but it will only match if the ID has been triggered in a period of time. Since we are interested in getting an alert when rule 200030 occurs multiple times over a period of time, it is this that should go inside if_matched_sid. if_sid is not needed for this rule.

If we test the event again several times in a row with wazuh-logtest we can see that we get rule 200040:

Oct 15 21:07:56 centos-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928

**Phase 1: Completed pre-decoding.
    full event: 'Oct 15 21:07:56 centos-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928'
    timestamp: 'Oct 15 21:07:56'
    hostname: 'centos-agent'
    program_name: 'sshd'

**Phase 2: Completed decoding.
    name: 'sshd'
    parent: 'sshd'
    srcip: '18.18.18.18'
    srcport: '48928'
    srcuser: 'blimey'

**Phase 3: Completed filtering (rules).
    id: '200040'
    level: '10'
    description: 'Multiple login failures was triggered by same user.'
    groups: '['local', 'syslog', 'sshd', 'access_control', 'authentication_failed']'
    firedtimes: '4'
    frequency: '2'
    mail: 'False'
**Alert to be generated.

​

[Nauris Metlans]

I want a bit different solution, not if user fails login many times on one system, but I have these custom rules for one device, and I want rule 200040 be triggered if the user with the same user name has failed to login on two systems.

So I have some linux host and other device which sends logs through syslog, these custom logs are in first post and I trigger the rule 200040 if the same user has filed to login on some other host through ssh, that is why I had <if_matched_sid>5710</if_matched_sid> this is for ssh failed logins and then check if also this same user has tried login to this syslog sending device in 120 seconds, that is why <if_sid>200030</if_sid> from the example from this post - https://github.com/wazuh/wazuh/issues/4428#issuecomment-775417557

[Julia Magán Rodríguez]

Hello,

Ok, so maybe the problem is in rule 200030, do you have any example of a log that matches this rule? That way, it will be easier for me to be able to test this use case and find a solution.

[Nauris Metlans]

This log matches rule 200030:

Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox

[Nauris Metlans]

Any luck with this? 

[Julia Magán Rodríguez]

Hello,

Sorry for the late response. Testing the log that you have sent me, without using any custom decoder or rule, we get the 2501 rule, as we can see here:

[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.0
Type one log per line

Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox

**Phase 1: Completed pre-decoding.
    full event: 'Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox'
    timestamp: 'Jun 14 12:00:29'
    hostname: 'NoName'

**Phase 2: Completed decoding.
    No decoder matched.

**Phase 3: Completed filtering (rules).
    id: '2501'
    level: '5'
    description: 'syslog: User authentication failure.'
    groups: '['syslog', 'access_control', 'authentication_failed']'
    firedtimes: '1'
    gdpr: '['IV_35.7.d', 'IV_32.2']'
    gpg13: '['7.8']'
    hipaa: '['164.312.b']'
    mail: 'True'
    nist_800_53: '['AU.14', 'AC.7']'
    pci_dss: '['10.2.4', '10.2.5']'
    tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.

And if we use your custom rules, we get:

Jun 14 12:00:29 NoName login failure for admin user from 192.168.0.204 via winbox

**Phase 1: Pre-decoding completed.
    complete event: 'Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox'.
    timestamp: 'Jun 14 12:00:29'
    hostname: 'NoName'

**Phase 2: Decoding completed.
    No decoder matched.

**Phase 3: Filtering completed (rules).
    id: '200030' id: '200030' id: '200030' id: '200030
    level: '10
    description: 'User could not log in.'
    groups: '['local', 'syslog', 'sshd', 'access_control', 'authentication_failed']'
    trigger times: '5'
    mail: 'True'
**alert to generate.

Both rules are correctly matching, the problem is that no IP is being extracted that can be compared with the next rule. For this, we must make a custom decoder that extracts it. I have seen in previous conversations with other colleagues that you were trying to make these decoders, do you have the decoders obtained so we can test them?

​

[Nauris Metlans]

Hello,

I have decoder like this:

<decoder name="mikrotik_winbox_generic">
    <prematch>\.*from \S+ via winbox</prematch>
    <regex>user (\S+) \.*from (\d+.\d+.\d+.\d+)</regex>
    <order>srcuser, srcip</order>
</decoder>

and rules like this:

<group name="syslog,mikrotik,">
<rule id="200010" level="3">
  <regex>logged in from \S+ via winbox</regex>
  <description>User logged in.</description>
  <group>access_control,authentication_success</group>
</rule>
<rule id="200020" level="3">
  <regex>logged out from \S+ via winbox</regex>
  <description>User logged out.</description>
  <group>access_control</group>
</rule>
<rule id="200030" level="12">
  <regex>login failure for user \S+ from \S+ via winbox</regex>

  <description>User failed to login.</description>
  <group>access_control,authentication_failed</group>
</rule>

<rule id="200040" level="10" timeframe="120">
  <if_matched_sid>5710</if_matched_sid>
  <if_sid>200030</if_sid>
  <same_srcuser />
  <description>Multiple login failures was triggered by same user.</description>
  <group>access_control,authentication_failed</group>
</rule>

What I want to do is make another rule, if user fails to log on to other system with same user name then trigger the alert? In this example, if user fails to login on wazuh host as admin and then to my custom syslog device also as admin, then trigger the alert.

[Julia Magán Rodríguez]

Hello again,

Testing your rules and decoders everything seems to be working correctly:

root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.0
Type one log per line

Jun 14 12:00:30 linux-agent sshd[29205]: Invalid user admin from 18.18.18.18.18 port 48928

**Phase 1: Completed pre-decoding.
    full event: 'Jun 14 12:00:30 linux-agent sshd[29205]: Invalid user admin from 18.18.18.18.18 port 48928'
    timestamp: 'Jun 14 12:00:30'
    hostname: 'linux-agent'
    program_name: 'sshd'

**Phase 2: Completed decoding.
    name: 'sshd'
    parent: 'sshd'
    srcip: '18.18.18.18.18'
    srcport: '48928'
    srcuser: 'admin'

**Phase 3: Completed filtering (rules).
    id: '5710'
    level: '5'
    description: 'sshd: Attempt to login using a non-existent user'
    groups: '['syslog', 'sshd', 'authentication_failed', 'invalid_login']'
    firedtimes: '1'
    gdpr: '['IV_35.7.d', 'IV_32.2']'
    gpg13: '['7.1']'
    hipaa: '['164.312.b']'
    mail: 'True'
    mitre.id: '['T1110.001', 'T1021.004', 'T1078']'
    mitre.tactic: '['Credential Access', 'Lateral Movement', 'Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']'
    mitre.technique: '['Password Guessing', 'SSH', 'Valid Accounts']'
    nist_800_53: '['AU.14', 'AC.7', 'AU.6']'
    pci_dss: '['10.2.4', '10.2.5', '10.6.1']'
    tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.

Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox

**Phase 1: Completed pre-decoding.
    full event: 'Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox'
    timestamp: 'Jun 14 12:00:29'
    hostname: 'NoName'

**Phase 2: Completed decoding.
    name: 'mikrotik_winbox_generic'
    srcip: '192.168.0.204'
    srcuser: 'admin'

**Phase 3: Completed filtering (rules).
    id: '200040'
    level: '10'
    description: 'Multiple login failures was triggered by same user.'
    groups: '['syslog', 'mikrotik', 'access_control', 'authentication_failed']'
    firedtimes: '1'
    frequency: '2'
    mail: 'True'
**Alert to be generated.

Please note that having only one rule configured, the 200040 alert will only pop if first, the 5710 rule pops and then the 200030 rule. The other way around it will not work, for that, you will have to create another rule, but with the rule values the other way around:

  <rule id="200050" level="10" timeframe="120">
    <if_matched_sid>200030</if_matched_sid>
    <if_sid>5710</if_sid>
    <same_srcuser />
    <descripción>Multiple login failures were triggered by the same user.</descripción>
    <group>access_control,authentication_failed</group>
  </rule>

We can check:

[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.0
Type one log per line

Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox

**Phase 1: Completed pre-decoding.
    full event: 'Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox'
    timestamp: 'Jun 14 12:00:29'
    hostname: 'NoName'

**Phase 2: Completed decoding.
    name: 'mikrotik_winbox_generic'
    srcip: '192.168.0.204'
    srcuser: 'admin'

**Phase 3: Completed filtering (rules).
    id: '200030'
    level: '12'
    description: 'User failed to login.'
    groups: '['syslog', 'mikrotik', 'access_control', 'authentication_failed']'
    firedtimes: '1'
    mail: 'True'
**Alert to be generated.

Jun 14 12:00:30 linux-agent sshd[29205]: Invalid user admin from 18.18.18.18.18 port 48928

**Phase 1: Completed pre-decoding.
    full event: 'Jun 14 12:00:30 linux-agent sshd[29205]: Invalid user admin from 18.18.18.18.18 port 48928'
    timestamp: 'Jun 14 12:00:30'
    hostname: 'linux-agent'
    program_name: 'sshd'

**Phase 2: Completed decoding.
    name: 'sshd'
    parent: 'sshd'
    srcip: '18.18.18.18.18'
    srcport: '48928'
    srcuser: 'admin'

**Phase 3: Completed filtering (rules).
    id: '200050'
    level: '10'
    description: 'Multiple login failures was triggered by same user.'
    groups: '['syslog', 'mikrotik', 'access_control', 'authentication_failed']'
    firedtimes: '1'
    frequency: '2'
    mail: 'True'
**Alert to be generated.

If it still does not work for you, please test the different events with wazuh-logtest and share with me the output obtained.

​

[Nauris Metlans]

Ok, thank you very much, this works.

Regards,
Nauris

[Calvin Nguyen]

I'm newbie from wazuh.

Please help me setup alert email when the sever login fail. Please check the config

Best regards.

[Julia Magán Rodríguez]

Hello,

The image has not been attached correctly and I cannot see the configuration you want to share with me.

If you want to receive an email alert every time there is a failed login, you can use <rule_id> by adding the IDs of all the rules you are interested in, or <group> by adding invalid_login. However, you should note that the default value of <email_alert_level> is 12, so in order to receive email alerts, these rules must have a level equal to or higher than 12. If not, you can lower the <email_alert_level>.

​