So I have a log file that logs user login attempts made to a domain
controller like so (bro/zeek):
2019-03-15T10:50:30-0600 CAnW7i1DW5gZp7c6Vd cx.x.x.x
62469 sx.x.x.x 88 AS user/domain krbtgt/domain
F KDC_ERR_PREAUTH_FAILED - 2037-09-12T20:48:05-0600
- T T -
In looking at the man page at: http://simple-evcorr.github.io/man.html
I'm looking at:
type=SingleWithThreshold
ptype=RegExp
pattern=sshd\[\d+\]: Failed .+ for (\S+) from [\d.]+ port \d+ ssh2
desc=Three SSH login failures within 1m for user $1
action=pipe '%s' /bin/mail -s 'SSH login alert' root@localhost
window=60
thresh=3
My plan is to match on the cx.x.x.x IP address and username. From the
above I know I can do this, but I do NOT want to match on the same
user...the idea is catch a single IP address (workstation) that fails to
login to a Windows Domain Controller using more than one username
(domain user brute force). I don't want to match just one username (in
this case at least) as, say if a user password expires over the weekend,
then multiple failed attempts would happen for the same user. Any
advice on how to, in layman's terms, "match on a single ip with 3 failed
attempts from three different user names in 60 seconds".
Thank you.
James
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
