OSSEC Alert: Multiple authentication failures followed by a success
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when multiple authentication attempts have failed, followed by one successful authentication.
Strategy
This rule monitors logs, and is triggered when there are multiple authentication failures followed by a successful authentication from the user. This could be indicative of a brute force attack against your system.
Triage and Response
- Check the activity detected on the system
{{@syslog.hostname}} by the user {{@usr.name}}. - Note the activity performed from
{{@network.client.ip}}. - You can either block the user
{{@usr.name}} from further accessing the system or contact your administrator to take further action.
