How to make complex Alerts
117 views
Skip to first unread message
Dhiraj Ambigapathi
Jul 10, 2023, 3:07:35 PM7/10/23
to Wazuh mailing list
I want to make a Alert which matches following Scenarios
Scenario 1
3 Failed login attempt followed by 1 successful login attempt over RDP
3 Failed login attempt followed by 1 successful login attempt over SSH
Scenario 1
3 Failed login attempt followed by 1 successful login attempt over RDP
3 Failed login attempt followed by 1 successful login attempt over SSH
I've made Alerts for single conditions like BruteForce, but couldn't figure out how to make a 2 or more condition based Alert.
I've tried making Alerts using buckets, but couldn't get this working.
Lucio Donda
Jul 10, 2023, 3:53:16 PM7/10/23
to Wazuh mailing list
Hi Dhiraj,
We have some documentation on what is mandatory to do or have in order to create custom rules -> alerts. Have you checked that?
When you say that you've tried using buckets, can you elaborate?
Have you detected the events (and logs) that you need in order to achieve this? Where you able to decode them, if so, have you test them using the log test?
Let me know and if possible share with us what you've got in order for us to help better!
We have some documentation on what is mandatory to do or have in order to create custom rules -> alerts. Have you checked that?
When you say that you've tried using buckets, can you elaborate?
Have you detected the events (and logs) that you need in order to achieve this? Where you able to decode them, if so, have you test them using the log test?
Let me know and if possible share with us what you've got in order for us to help better!
Dhiraj Ambigapathi
Jul 11, 2023, 4:10:12 AM7/11/23
to Wazuh mailing list
Hi Lucio,
I've created Per Bucket Monitor to detect rule.id 5760 and then alerts are triggered when they hit a certain threshold in 1 hour. I wanted to detect 5760 and then 5710, which are two conditions one after another for 1 IP (attackers IP). My Decoders are working, but don't know how to create an Alert for 2 or more conditions.
Lucio Donda
Jul 11, 2023, 11:54:29 AM7/11/23
to Wazuh mailing list
Hi Dhiraj,
sorry for the late response I was investigating with other teammates.
Based on what you're telling me you could create a custom rule based on 5710 that would be triggered after 5760.
In order to achieve this you could use if_matched_sid -> https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-matched-sid
and if_sid -> https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html?highlight=if_matched_sid#if-sid
And the result will be something like:
New rule 57XX sub-rule of 5710 (triggered by the same logs) but only if 5760 was triggered in the timeframe period defined.
<rule id="57XX" frequency="2" timeframe="3600" level="13" >
<if_sid>5710</if_sid>
<if_matched_sid>5760</if_matched_sid>
...
</rule>
Bare in mind that this wasn't tested, in order for us to help us, you could share some logs and will check from our side!
Let me know how that goes!
sorry for the late response I was investigating with other teammates.
Based on what you're telling me you could create a custom rule based on 5710 that would be triggered after 5760.
In order to achieve this you could use if_matched_sid -> https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-matched-sid
and if_sid -> https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html?highlight=if_matched_sid#if-sid
And the result will be something like:
New rule 57XX sub-rule of 5710 (triggered by the same logs) but only if 5760 was triggered in the timeframe period defined.
<rule id="57XX" frequency="2" timeframe="3600" level="13" >
<if_sid>5710</if_sid>
<if_matched_sid>5760</if_matched_sid>
...
</rule>
Bare in mind that this wasn't tested, in order for us to help us, you could share some logs and will check from our side!
Let me know how that goes!
Dhiraj Ambigapathi
Jul 13, 2023, 9:57:28 AM7/13/23
to Wazuh mailing list
Hi Lucio,
One More thing, can This rule rune for one IP at a time. Like if 5 IP's hit all in 1 min it should track for 5 instances.
Lucio Donda
Jul 13, 2023, 10:51:36 AM7/13/23
to Wazuh mailing list
Hi Dhiraj,
I don't Know if Im understanding this correctly, you mean that all the above conditions should match only if the source IP is the same?
In that case have you checked adding srcip to the rule? more info here -> https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html?highlight=if_matched_sid#srcip
Let me know!
I don't Know if Im understanding this correctly, you mean that all the above conditions should match only if the source IP is the same?
In that case have you checked adding srcip to the rule? more info here -> https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html?highlight=if_matched_sid#srcip
Let me know!
Dhiraj Ambigapathi
Jul 13, 2023, 11:14:54 AM7/13/23
to Wazuh mailing list
Hi Lucio,So I want to detect if someone has tried to bruteforce (i.e 5760 or 5710) and then got access onto system successfully (i.e 5501). So Once rule is created it must detect for individual attacks and detect one IP as one instance.
Lucio Donda
Jul 13, 2023, 11:34:53 AM7/13/23
to Wazuh mailing list
Dhiraj:
As state before, if you define that srcip then it will detect only if the source ip where the bruteforce and the logged process was the same. Several IPs triggering the same rule won't accumulate.
I've found a similar case scenario but with different intentions, the user is trying to avoid an alert being fired by an specific set of IPs.
Take a look over here -> https://github.com/wazuh/wazuh/issues/10928#issuecomment-976300555
Let me know if that helped you!
As state before, if you define that srcip then it will detect only if the source ip where the bruteforce and the logged process was the same. Several IPs triggering the same rule won't accumulate.
I've found a similar case scenario but with different intentions, the user is trying to avoid an alert being fired by an specific set of IPs.
Take a look over here -> https://github.com/wazuh/wazuh/issues/10928#issuecomment-976300555
Let me know if that helped you!
Dhiraj Ambigapathi
Jul 13, 2023, 11:47:44 AM7/13/23
to Wazuh mailing list
Hi Lucio,
I will test all these and update you
I will test all these and update you
Message has been deleted
Lucio Donda
Jul 17, 2023, 8:06:55 AM7/17/23
to Wazuh mailing list
Hi Dhiraj:
First of all do not forget to click on answer to all In order to others users of the community have access to this conversation:
Answering this:
Hi Lucio,
First of all do not forget to click on answer to all In order to others users of the community have access to this conversation:
Answering this:
Hi Lucio,
So I tried the following rule, where I'm detecting if 5710 (failed login is detected) when in a time period of 3600 a 5501 was detected for a certain IP (srcip). But it is not working. Can you help here? I want IP (srcip) to be dynamic so that it detects each if a IP has performed 5 failed attempts (5710) then a successful attempt (5501).
<rule id="10000" level="4" frequency="5" timeframe="3600">
<if_sid>5710</if_sid>
<srcip>$srcip</srcip>
<if_matched_sid>5501</if_matched_sid>
<desceription>sshd: Potential Bruteforce Success</description>
<group>authentication_failure</group>
</rule>
In the above question, I was assuming that you knew the IP and that was a mistake (because you just want to use any IP not an specific one). I'm guessing that in your case the best option is to use
same_srcip -> https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html?highlight=if_matched_sid#same-srcip
<if_sid>5710</if_sid>
<srcip>$srcip</srcip>
<if_matched_sid>5501</if_matched_sid>
<desceription>sshd: Potential Bruteforce Success</description>
<group>authentication_failure</group>
</rule>
In the above question, I was assuming that you knew the IP and that was a mistake (because you just want to use any IP not an specific one). I'm guessing that in your case the best option is to use
same_srcip -> https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html?highlight=if_matched_sid#same-srcip
In that case, it will check what you're asking. When you test it try to use the logtest feature. -> https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
Let me know how it goes
Reply all
Reply to author
Forward
0 new messages