[prelude-user] Prelude correlator "Brute Force attack/Multiple failed login against a single account"

Jaime Ventura jaimeventura at ipp.pt
Tue Mar 16 14:49:17 CET 2010 

I've been doing some debugging and notice the following:

On prelude correlator 1.0.0~rc4:
/usr/share/python-support/prelude-correlator/PreludeCorrelator/plugins/bruteforce.py
-----------------
...
    def run(self, idmef):
        if not idmef.match("alert.classification.text",
re.compile("[Ll]ogin|[Aa]uthentication")):
            return
...
------------
Which means matching any "login" or authentication regarding the
"alert.assessment.impact.completion"

On the oposite, on prelude correlator (0.9.0~beta3 and using lua):
------------
...
local is_failed_auth = INPUT:match("alert.classification.text",
"[Ll]ogin|[Aa]uthentication",
                                   "alert.assessment.impact.completion",
"failed")
...
--------------
Which means "alert.assessment.impact.completion" is tested.

Im testing the following changes:

--- bruteforce.py-orig  2010-03-16 12:26:52.000000000 +0000
+++ bruteforce.py       2010-03-16 12:30:05.000000000 +0000
@@ -52,7 +52,7 @@
 
 
     def run(self, idmef):
-        if not idmef.match("alert.classification.text",
re.compile("[Ll]ogin|[Aa]uthentication")):
+        if not idmef.match("alert.classification.text",
re.compile("[Ll]ogin|[Aa]uthentication"),
"alert.assessment.impact.completion", re.compile("[Ff]ailed")):
             return
 
         self._BruteForce(idmef)


Please give me some feedback.
Thank
    Jaime

Jaime Ventura wrote:
> Hello.
> I'm using prelude for over a 1 year, and i've decided to update to 1.0.0
> RC releases of the several prelude components.
> Everything seams to work fine, except for Prelude correlator.
> I notice that Prelude correlator(1.0.0~rc4) is detecting "Brute Force
> attack/Multiple failed login against a single account" while all events
> are "login successfully".
>
> Can anyone help me you on this?
> Thanks.
> Jaime
>
>   
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Prelude-user site list
> Prelude-user at prelude-technologies.com
> http://lists.prelude-technologies.com/mailman/listinfo/prelude-user

More information about the Prelude-user mailing list