OSSEC Alert: Multiple authentication failures followed by a success
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when multiple authentication attempts have failed, followed by one successful authentication.
Strategy
This rule monitors logs, and is triggered when there are multiple authentication failures followed by a successful authentication from the user. This could be indicative of a brute force attack against your system.
Triage and Response
- Check the activity detected on the system
{{@syslog.hostname}}
by the user {{@usr.name}}
. - Note the activity performed from
{{@network.client.ip}}
. - You can either block the user
{{@usr.name}}
from further accessing the system or contact your administrator to take further action.