OSSEC Alert: Multiple authentication failures followed by a success

This rule is part of a beta feature. To learn more, contact Support.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when multiple authentication attempts have failed, followed by one successful authentication.

Strategy

This rule monitors logs, and is triggered when there are multiple authentication failures followed by a successful authentication from the user. This could be indicative of a brute force attack against your system.

Triage and Response

  1. Check the activity detected on the system {{@syslog.hostname}} by the user {{@usr.name}}.
  2. Note the activity performed from {{@network.client.ip}}.
  3. You can either block the user {{@usr.name}} from further accessing the system or contact your administrator to take further action.