1 2 Previous Next 12 Replies Latest reply on May 16, 2014 1:19 PM by gene33

    Detecting bruteforce logins

    docdriza

      I am trying to detect bruteforced logins. Based off the correlation rules that are availabe within ESM, it is only looking for the same user attempting to log in 5 times within 10 minutes. How would I change it so that it is looking for three or more different users attempt to log in to the same device? Any help would be appreciated.

       

      Thanks.

        • 1. Re: Detecting bruteforce logins
          mlev462251

          I'd say using a watchlist for source user.

          • 2. Re: Detecting bruteforce logins
            docdriza

            Based off the correlation rules currently in ESM, it looks like it is looking for the same user to fail  then succeed. I guess the technical term for what I am trying to detect is a reverse brute-force. The attacker would try 1 password, lets say they use "Password". The attacker could take a list of users to see if "Password" works. I would like to detect that this kind of brute-force is occurring, and if there is a success. I would like to detect multiple failed logins on the same system from a number of different users. Then I would like to detect multiple failed logins on the same system from a number of different users with a success. This would mean an attacker found a user with a valid password that was guessed.

             

            on 5/6/14 9:01:08 AM CDT
            • 3. Re: Detecting bruteforce logins
              mlev462251

              The 47-4000012 Login - Brute Force Login Attempts from a Single Source rule seems to do preety much what you are talking about. If you also want to check for specific Source User just take the existing rule as a template and add check for a UserIDSrc in a watchlist.

               

              Message was edited by: mlev462251 on 5/6/14 9:03:45 AM CDT
              1 of 1 people found this helpful
              • 4. Re: Detecting bruteforce logins
                docdriza

                THe sig ID you are suggesting doesnt seem to come up either. I am currently trying this bruteforce out, and I am not seeing anything from the IP address I am coming from. Sig ID 47-4000013 "Login - Successful Login after Brute Force Attempts from a Single Source" should work too, but i am not seeing this even pop up either.

                • 5. Re: Detecting bruteforce logins
                  acommons

                  I think rule 47-4000137 "Suspicious - User Logon from Multiple IP Addresses" is probably a closer match for what you want in terms of approach. If you can switch the roles of "Source IP" and "Source User" I think that should do it.

                   

                  A few caveats:

                  1. You will have to either change the default aggregation settings or turn off aggregation for the events you want to track since the default aggregation will hide all but the last username in the aggregation group.
                  2. Case sensitivity and user aliases need to be taken into account and these are not handled well in the correlation engine.
                  1 of 1 people found this helpful
                  • 6. Re: Detecting bruteforce logins
                    docdriza

                    This is definitely helpful. The issue I am having now with this is detecting a successful login after this original event has been triggered. I have attempted to add a sequence and to detect a successful login event, and it still doesnt seem to be working.

                     

                    Ideas?

                    • 7. Re: Detecting bruteforce logins
                      davids15

                      Can you provide what you have done so far?

                      • 8. Re: Detecting bruteforce logins
                        docdriza

                        There are a few things I have done. I have tried creating my own rule and nothing was flagged. I have taken the rule that comes out of the box, and added an alert and nothing flags. I have edited the rule so that it also looks for a specific sig ID 43-263046110, and that generates a large number of false positives. I am using this sig ID because this is what is generated when there is a successful login to a domain server. When looking for correlation rule 47-4000012, I am not sure if it is looking for unique user ID's. Any help would be much appreciated.

                        • 9. Re: Detecting bruteforce logins
                          gene33

                          I recently setup my own, and it works well.  I have an alarm setup that will blacklist the offending IP at the McAfee IPS.

                           

                          Group By: Source IP

                          NumEvents = 10

                           

                          Important Filters:

                          Normalization Rule In [Login]

                          Event Subtype (in) [failure]

                          UserIDSrc (in) [My Watchlist of accounts to look for]

                           

                          Additional Filters:  I have mine also filtering out internal sources and looking at specific servers in an internet facing DMZ.

                           

                          AND Statement.jpg

                          rule.jpg

                           

                          Note:  Your watchlist needs to contain the proper case.  I have mine setup with mixed case, upper and lower.  I have attached a copy of the ones I use, which are generic accounts I have often seen people try to use.

                           

                          Example:

                          Administrator

                          ADMINISTRATOR

                          administrator

                           

                          Message was edited by: gene33 on 5/15/14 1:23:50 PM CDT
                          1 of 1 people found this helpful
                          1 2 Previous Next