OSSEC Alert: Multiple authentication failures followed by a success

This rule is part of a beta feature. To learn more, contact Support.
ossec-security

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when multiple authentication attempts have failed, followed by one successful authentication.

Strategy

This rule monitors logs, and is triggered when there are multiple authentication failures followed by a successful authentication from the user. This could be indicative of a brute force attack against your system.

Triage and Response

  1. Check the activity detected on the system {{@syslog.hostname}} by the user {{@usr.name}}.
  2. Note the activity performed from {{@network.client.ip}}.
  3. You can either block the user {{@usr.name}} from further accessing the system or contact your administrator to take further action.
PREVIEWING: brett.blue/embedded-collector-release