[prelude-user] Prelude correlator "Brute Force attack/Multiple failed login against a single account"
G Ramon Gomez
ggomez at ragingwire.com
Tue Mar 16 16:17:59 CET 2010
Jaime,
When I wrote the original version of this rule for the correlator, the intention was to avoid triggering the rule when scripts (or other automated systems) ran. Some of them can be very chatty when taken from a syslog stream.
Removing the completion check might have been an oversight, or it might have been done for the benefit of non-syslog (specifically NIDS) systems where that completion data might not be available (I this this would be an oversight, too, since the rule would work in smaller environments, and stop being useful in enterprise environments).
Anyways, I DO think the rule should reflect the change you suggest back to the original.
- Ramon
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This communication may contain material protected by the attorney-client privilege or other privileges or protections from discovery, such as California Evidence Code Section 1157, et seq.
If you are not the named addressee you should not disseminate, distribute or copy this e-mail, but should instead destroy it. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
----- Original Message -----
From: prelude-user-bounces at prelude-technologies.com <prelude-user-bounces at prelude-technologies.com>
To: prelude-user at prelude-technologies.com <prelude-user at prelude-technologies.com>
Sent: Tue Mar 16 06:49:17 2010
Subject: Re: [prelude-user] Prelude correlator "Brute Force attack/Multiple failed login against a single account"
I've been doing some debugging and notice the following:
On prelude correlator 1.0.0~rc4:
/usr/share/python-support/prelude-correlator/PreludeCorrelator/plugins/bruteforce.py
-----------------
...
def run(self, idmef):
if not idmef.match("alert.classification.text",
re.compile("[Ll]ogin|[Aa]uthentication")):
return
...
------------
Which means matching any "login" or authentication regarding the
"alert.assessment.impact.completion"
On the oposite, on prelude correlator (0.9.0~beta3 and using lua):
------------
...
local is_failed_auth = INPUT:match("alert.classification.text",
"[Ll]ogin|[Aa]uthentication",
"alert.assessment.impact.completion",
"failed")
...
--------------
Which means "alert.assessment.impact.completion" is tested.
Im testing the following changes:
--- bruteforce.py-orig 2010-03-16 12:26:52.000000000 +0000
+++ bruteforce.py 2010-03-16 12:30:05.000000000 +0000
@@ -52,7 +52,7 @@
def run(self, idmef):
- if not idmef.match("alert.classification.text",
re.compile("[Ll]ogin|[Aa]uthentication")):
+ if not idmef.match("alert.classification.text",
re.compile("[Ll]ogin|[Aa]uthentication"),
"alert.assessment.impact.completion", re.compile("[Ff]ailed")):
return
self._BruteForce(idmef)
Please give me some feedback.
Thank
Jaime
Jaime Ventura wrote:
> Hello.
> I'm using prelude for over a 1 year, and i've decided to update to 1.0.0
> RC releases of the several prelude components.
> Everything seams to work fine, except for Prelude correlator.
> I notice that Prelude correlator(1.0.0~rc4) is detecting "Brute Force
> attack/Multiple failed login against a single account" while all events
> are "login successfully".
>
> Can anyone help me you on this?
> Thanks.
> Jaime
>
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Prelude-user site list
> Prelude-user at prelude-technologies.com
> http://lists.prelude-technologies.com/mailman/listinfo/prelude-user
_______________________________________________
Prelude-user site list
Prelude-user at prelude-technologies.com
http://lists.prelude-technologies.com/mailman/listinfo/prelude-user
More information about the Prelude-user
mailing list