I am trying to detect bruteforced logins. Based off the correlation rules that are availabe within ESM, it is only looking for the same user attempting to log in 5 times within 10 minutes. How would I change it so that it is looking for three or more different users attempt to log in to the same device? Any help would be appreciated.
Based off the correlation rules currently in ESM, it looks like it is looking for the same user to fail then succeed. I guess the technical term for what I am trying to detect is a reverse brute-force. The attacker would try 1 password, lets say they use "Password". The attacker could take a list of users to see if "Password" works. I would like to detect that this kind of brute-force is occurring, and if there is a success. I would like to detect multiple failed logins on the same system from a number of different users. Then I would like to detect multiple failed logins on the same system from a number of different users with a success. This would mean an attacker found a user with a valid password that was guessed.on 5/6/14 9:01:08 AM CDT
The 47-4000012 Login - Brute Force Login Attempts from a Single Source rule seems to do preety much what you are talking about. If you also want to check for specific Source User just take the existing rule as a template and add check for a UserIDSrc in a watchlist.Message was edited by: mlev462251 on 5/6/14 9:03:45 AM CDT
THe sig ID you are suggesting doesnt seem to come up either. I am currently trying this bruteforce out, and I am not seeing anything from the IP address I am coming from. Sig ID 47-4000013 "Login - Successful Login after Brute Force Attempts from a Single Source" should work too, but i am not seeing this even pop up either.
I think rule 47-4000137 "Suspicious - User Logon from Multiple IP Addresses" is probably a closer match for what you want in terms of approach. If you can switch the roles of "Source IP" and "Source User" I think that should do it.
A few caveats:
This is definitely helpful. The issue I am having now with this is detecting a successful login after this original event has been triggered. I have attempted to add a sequence and to detect a successful login event, and it still doesnt seem to be working.
There are a few things I have done. I have tried creating my own rule and nothing was flagged. I have taken the rule that comes out of the box, and added an alert and nothing flags. I have edited the rule so that it also looks for a specific sig ID 43-263046110, and that generates a large number of false positives. I am using this sig ID because this is what is generated when there is a successful login to a domain server. When looking for correlation rule 47-4000012, I am not sure if it is looking for unique user ID's. Any help would be much appreciated.
I recently setup my own, and it works well. I have an alarm setup that will blacklist the offending IP at the McAfee IPS.
Group By: Source IP
NumEvents = 10
Normalization Rule In [Login]
Event Subtype (in) [failure]
UserIDSrc (in) [My Watchlist of accounts to look for]
Additional Filters: I have mine also filtering out internal sources and looking at specific servers in an internet facing DMZ.
Note: Your watchlist needs to contain the proper case. I have mine setup with mixed case, upper and lower. I have attached a copy of the ones I use, which are generic accounts I have often seen people try to use.
administratorMessage was edited by: gene33 on 5/15/14 1:23:50 PM CDT