OSSEC Alert: Multiple authentication failures

This rule is part of a beta feature. To learn more, contact Support.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when multiple failed authentication attempts are detected by OSSEC.

Strategy

This rule lets you monitor if there are multiple authentication failures in a limited time interval.

Triage and Response

  1. Check the activity detected on the System: {{@syslog.hostname}}.

  2. Analyze the rule that triggered along with the brief description and log message attached with the log:

    • Rule ID: {{@rule_id}}
    • Description: {{@description}}
    • Log Message: {{@log}}
  3. Inform your administrator to take further action for the detected failed activity.