cancel
Showing results for 
Search instead for 
Did you mean: 
artek
Level 11
Report Inappropriate Content
Message 1 of 3

Brute force correlation - how to create working rule?

Hello,

I was asked by my customer about possibility to create the Brute force login correlation rule, resistant for false positives caused by success login between login failures.

Problem is following: customer has many login failures caused by problems with scripts launched remotely by ssh. The server logs contain something like that (this is only schema):

authentication failed

authentication success

authentication failed

authentication success

authentication failed

authentication success

authentication failed

authentication success

authentication failed

authentication success

authentication failed

authentication success

authentication failed

authentication success

authentication failed

authentication success

authentication failed

authentication success

authentication failed

authentication success

The standard "Brute force login..." rule hits always, when the correlation engine sees the 10 authentication failures in the 10 minutes window. In this case unfortunately this rule hits as well.

Again - the rule "Success login after brute force login..." hits too, and it is, the same as in previous rule - only false positive...

Does it possible to create "Brute force..." rule, that won't hit when between ten of authentication failures will be event regarding authentication success?

Regards,

Artur Sadownik

2 Replies

Re: Brute force correlation - how to create working rule?

If our SIEM allowed us to define conditions to reset time window if conditions are met, I think we can do a lot better for cases like this one.

I try to think it another way likes if our SIEM solution allowed us to use attribute value pairs so we can use that as well. Says, we count +1 for each failed and -1 for each success in 10 minutes time window for example.

For your case, if it's only machine to machine activities can we ignore those activities using source IP & destination IP filters?

Just my two cents!

Regards,

Parinya

artek
Level 11
Report Inappropriate Content
Message 3 of 3

Re: Brute force correlation - how to create working rule?

Hi Parinya,

unfortunately in this case I can't to use source\destination filtering because customer want to use this correlation for that servers. I tried a lot of combinations, but without positive results. For example:

ESM07.PNG

Regards,

Artur

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community