if_sid and if_matched_sid
41 views
Skip to first unread message
German DiCasas
Oct 14, 2025, 4:38:38 PM (5 days ago) Oct 14
to Wazuh | Mailing List
Hi team,
I wander to know if it is possible in a rule put if_sid and if_matched_sid? I mea, I want trigger an alert after some fail login fails next to a correct login with the same user. Like a force brute and end with the correct password.
rule to get an alert after 15 fail login:
<rule id="300001" level="15" frequency="10" timeframe="600">
<if_matched_sid>300000</if_matched_sid> <!-- rule to detect fail login-->
<same_srcip/>
<description>Fail Login $(srcuser).</description>
</rule>
<rule id="300001" level="15" frequency="10" timeframe="600">
<if_matched_sid>300000</if_matched_sid> <!-- rule to detect fail login-->
<same_srcip/>
<description>Fail Login $(srcuser).</description>
</rule>
<rule id="30002" level="10" frequency="2" timeframe="900">
<if_matched_sid> 300001</if_matched_sid>
<if_sid> 300000 </if_sid>
<same_srcuser/>
<description>Login of $(srcuser) after several fail logins.</description>
</rule>
The rule 30002 is not working for me. Let me know how figure out that. Perhaps use another syntax?.
Regards
German
<if_matched_sid> 300001</if_matched_sid>
<if_sid> 300000 </if_sid>
<same_srcuser/>
<description>Login of $(srcuser) after several fail logins.</description>
</rule>
The rule 30002 is not working for me. Let me know how figure out that. Perhaps use another syntax?.
Regards
German
Olamilekan Abdullateef Ajani
Oct 14, 2025, 5:01:56 PM (5 days ago) Oct 14
to Wazuh | Mailing List
Hello German,
<rule id="300001" level="15" frequency="10" timeframe="600">
<if_matched_sid>300000</if_matched_sid>
For this correlation, you need to refer to the successful login too. In your rule 30002, your if_sid was referencing both failed logins, the parent and child. you need to match the failed authentication after the specifid period along with the successful authentication. Please see correction below. I have tried this and it works.
<group name="custom-test,">
<rule id="300001" level="15" frequency="10" timeframe="600">
<if_matched_sid>300000</if_matched_sid>
<same_user />
<same_srcip />
<description>user $(dstuser) has more than 10 failed login attempts</description>
</rule>
</group>
<group name="custom-test2,">
<rule id="300002" level="12">
<if_sid>XXXXXX</if_sid> <!-- rule to detect successful login-->
<if_matched_sid>300001</if_matched_sid>
<same_srcip />
<description>Successful connection from IP $(srcip) after failed attempts</description>
</rule>
</group>
<same_srcip />
<description>user $(dstuser) has more than 10 failed login attempts</description>
</rule>
</group>
<group name="custom-test2,">
<rule id="300002" level="12">
<if_sid>XXXXXX</if_sid> <!-- rule to detect successful login-->
<if_matched_sid>300001</if_matched_sid>
<same_srcip />
<description>Successful connection from IP $(srcip) after failed attempts</description>
</rule>
</group>
Please let me know what you find.
German DiCasas
Oct 15, 2025, 4:28:32 PM (4 days ago) Oct 15
to Wazuh | Mailing List
HI
Olamilekan ,
Thanks, I will try that. So, over rule 300002 same_srcip will be related to the if_matched_sid and if_sid, correct? I mean, related to 300001 and the rule related to detected successfull login.
Regards,
German
Message has been deleted
Olamilekan Abdullateef Ajani
Oct 16, 2025, 8:33:28 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Hello German,
Yes, that is correct. Rule 300002 will trigger upon successful login after failed ones.
Regards
Reply all
Reply to author
Forward
0 new messages