SMB BruteForce Custom Rule Creating

[Gökçen özden]

Hello, I'm new to this subject and I realized that I couldn't learn even if I read the document, I would be very happy if you could help.

I want to make a "Custom Rule" that triggers an alarm when a brute force attack is made on the Windows agent. However, the rule I made is not triggered because I did it wrong.

Can someone teach me how to establish such a rule?

[Obinna Uchubilo]

Hi,

For your use case, we use the custom rule below.

<group name="smb_attack,">
 <rule id="111004" level="7">
    <if_sid>60104</if_sid>
    <field name="win.system.eventID">^551$|1009$</field>
    <description>SMB Authentication Failure.</description>
 </rule>

 <rule id="111005" level="11" frequency="10" timeframe="60">
    <if_sid>111004</if_sid>
    <same_source_ip />
    <description>Multiple SMB Authentication Failure</description>
 </rule>
</group>

I created a rule group smb_attack and two rules. The first rule, rule 111004 is  triggered when SMB authentication errors is detected while the second rule is trigger when the first rule is triggered 10 times within 60 second.

To create this rule on your Wazuh server follow the steps below.

1. Add the following rule to /var/ossec/etc/rules/local_rules.xml file

<group name="smb_attack,">
   <rule id="111004" level="7">
      <if_sid>60104</if_sid>
      <field name="win.system.eventID">^551$|1009$</field>
      <description>SMB Authentication Failure.</description>
   </rule>

 <rule id="111005" level="11" frequency="15" timeframe="60">
    <if_sid>111004</if_sid>
    <same_source_ip />
    <description>Multiple SMB Authentication Failure</description>
 </rule>
</group>

2. Restart the Wazuh manager to apply the changes with the command below

     systemctl restart wazuh-manager

Regards