Rule for Successful brute force login

I am creating a rule for successful brute force login, It should trigger when there is a successful login after say 5 failed logins. Can I create it using matching events condition?

Tags:

  • Hello Naresh,

    There are many ways to create a successful brute-force login rule. The scenario you describe, using a matching events condition, is a very common way to do it.

    You could define a rule for failed brute-force login attempts, and create an add to active list action for the fields on which you plan to match (Attacker Address, Target Address, Target Host for example). Set the aggregation to 5 in the failed login rule. Then make another rule for the matching events condition. For the first event, have it look at the active list for an entry (if an entry exists, your 5 failed login events have already occurred). Have the second event look for a successful login event. Set the matching conditions for at least the same fields as in your active list (Attacker Address, Target Address, Target Hostname). Don't forget to aggregate your fields in the aggregations tab, and set your rule actions as you desire.

    It is important for the rule efficiency to have the event #1 look at the failed login list you define. Doing it this way (and not evaluating successful login events first) will significantly reduce the number of partial matches.

    Let me know if I can describe this further, or help you with the nuts and bolts of the rules.

    Good luck,

    Alan

  • Hello Alan,

    Thank you for your reply.

    is it possible that we can make that rule without active list  ?

  • Hello Naresh, (sorry for the delay in replying)

    The difficulty with avoiding the active list is the inability to have two different aggregation settings in the matches event rule (5 failed and then 1 success). There is another way to achieve it (as describe below).

    ***There is an issue with the following approach, but I will still explain an alternative method***

    What you could do is set the failed login rule to fire and generate a correlated event but you do not need to send it anywhere (you may care to populate some fields, based on your schema). If you then set the matches rule event #1 condition to be just the presence of the correlated event (so name={rulename} and type = Correlation) and then the successful login as event #2, you would get what you are looking for. The problem here, and its a pretty big problem, is that the correlated event does not expire like an entry in an active list. So theoretically you could have 5 failed logons fire on a given day and then a week later, the successful logon condition is met, and you will get a rule fire. This is not desired in your use-case.

    I highly recommend using an activelist to achieve this content, if you can.

    Let me know if I can help further,

    Alan

  • Thank you for your reply. I got it what you want to say. Active list is the only option for such kind of rule.

  • Hi Naresh,

    You are correct, you create a rule based on matching (Joins) events. The first event simply detects failed brute force login attempts and populates a couple active lists with the attacker address, attacker zone, target address and target username. The second event matches the first event attacker address etc with a successful login event.

    Event conditions

    >< Matching Event

         & AND

              event1.Target Address =  event2.Target Address

              event1.Attacker Address =  event2.Attacker Address

              event1.Attacker Zone =  event2.Attacker Zone

              event1.Target Zone =  event2.Target Zone

              event1.Target User Name =  event2.Target User Name

    You should have a default rule (Probable Successful Attack - Brute Force) that already performs this located here:

    /All Rules/Real-time Rules/Intrusion Monitoring/Attack Monitoring/Attackers/Successful Attacks/

    If not let me know and I'll give you the details.

    Mark