cancel
Showing results for 
Search instead for 
Did you mean: 
docdriza
Level 10
Report Inappropriate Content
Message 1 of 13

Detecting bruteforce logins

I am trying to detect bruteforced logins. Based off the correlation rules that are availabe within ESM, it is only looking for the same user attempting to log in 5 times within 10 minutes. How would I change it so that it is looking for three or more different users attempt to log in to the same device? Any help would be appreciated.

Thanks.

12 Replies

Re: Detecting bruteforce logins

I'd say using a watchlist for source user.

docdriza
Level 10
Report Inappropriate Content
Message 3 of 13

Re: Detecting bruteforce logins

Based off the correlation rules currently in ESM, it looks like it is looking for the same user to fail  then succeed. I guess the technical term for what I am trying to detect is a reverse brute-force. The attacker would try 1 password, lets say they use "Password". The attacker could take a list of users to see if "Password" works. I would like to detect that this kind of brute-force is occurring, and if there is a success. I would like to detect multiple failed logins on the same system from a number of different users. Then I would like to detect multiple failed logins on the same system from a number of different users with a success. This would mean an attacker found a user with a valid password that was guessed.

on 5/6/14 9:01:08 AM CDT

Re: Detecting bruteforce logins

The 47-4000012 Login - Brute Force Login Attempts from a Single Source rule seems to do preety much what you are talking about. If you also want to check for specific Source User just take the existing rule as a template and add check for a UserIDSrc in a watchlist.

Message was edited by: mlev462251 on 5/6/14 9:03:45 AM CDT
docdriza
Level 10
Report Inappropriate Content
Message 5 of 13

Re: Detecting bruteforce logins

THe sig ID you are suggesting doesnt seem to come up either. I am currently trying this bruteforce out, and I am not seeing anything from the IP address I am coming from. Sig ID 47-4000013 "Login - Successful Login after Brute Force Attempts from a Single Source" should work too, but i am not seeing this even pop up either.

acommons
Level 10
Report Inappropriate Content
Message 6 of 13

Re: Detecting bruteforce logins

I think rule 47-4000137 "Suspicious - User Logon from Multiple IP Addresses" is probably a closer match for what you want in terms of approach. If you can switch the roles of "Source IP" and "Source User" I think that should do it.

A few caveats:

  1. You will have to either change the default aggregation settings or turn off aggregation for the events you want to track since the default aggregation will hide all but the last username in the aggregation group.
  2. Case sensitivity and user aliases need to be taken into account and these are not handled well in the correlation engine.
docdriza
Level 10
Report Inappropriate Content
Message 7 of 13

Re: Detecting bruteforce logins

This is definitely helpful. The issue I am having now with this is detecting a successful login after this original event has been triggered. I have attempted to add a sequence and to detect a successful login event, and it still doesnt seem to be working.

Ideas?

Re: Detecting bruteforce logins

Can you provide what you have done so far?

docdriza
Level 10
Report Inappropriate Content
Message 9 of 13

Re: Detecting bruteforce logins

There are a few things I have done. I have tried creating my own rule and nothing was flagged. I have taken the rule that comes out of the box, and added an alert and nothing flags. I have edited the rule so that it also looks for a specific sig ID 43-263046110, and that generates a large number of false positives. I am using this sig ID because this is what is generated when there is a successful login to a domain server. When looking for correlation rule 47-4000012, I am not sure if it is looking for unique user ID's. Any help would be much appreciated.

gene33
Level 9
Report Inappropriate Content
Message 10 of 13

Re: Detecting bruteforce logins

I recently setup my own, and it works well.  I have an alarm setup that will blacklist the offending IP at the McAfee IPS.

Group By: Source IP

NumEvents = 10

Important Filters:

Normalization Rule In [Login]

Event Subtype (in) [failure]

UserIDSrc (in) [My Watchlist of accounts to look for]

Additional Filters:  I have mine also filtering out internal sources and looking at specific servers in an internet facing DMZ.

AND Statement.jpg

rule.jpg

Note:  Your watchlist needs to contain the proper case.  I have mine setup with mixed case, upper and lower.  I have attached a copy of the ones I use, which are generic accounts I have often seen people try to use.

Example:

Administrator

ADMINISTRATOR

administrator

Message was edited by: gene33 on 5/15/14 1:23:50 PM CDT
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community