-- Copyright (C) 2006 G Ramon Gomez <gene at gomezbrothers dot com>
-- Copyright (C) 2008 PreludeIDS Technologies <info@prelude-ids.com>
-- All Rights Reserved.
--
-- This file is part of the Prelude-Correlator program.
--
-- This program is free software; you can redistribute it and/or modify
-- it under the terms of the GNU General Public License as published by
-- the Free Software Foundation; either version 2, or (at your option)
-- any later version.
--
-- This program is distributed in the hope that it will be useful,
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- GNU General Public License for more details.
--
-- You should have received a copy of the GNU General Public License
-- along with this program; see the file COPYING. If not, write to
-- the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
function brute_force(INPUT)
local is_failed_auth = INPUT:match("alert.classification.text", "[Ll]ogin|[Aa]uthentication",
"alert.assessment.impact.completion", "failed")
local result = INPUT:match("alert.source(*).node.address(*).address", "(.+)",
"alert.target(*).node.address(*).address", "(.+)");
if is_failed_auth and result then
for i, source in ipairs(result[1]) do
for i, target in ipairs(result[2]) do
local ctx = Context.update("BRUTE_ST_" .. source .. target, { expire = 2, threshold = 5 })
ctx:set("alert.source(>>)", INPUT:getraw("alert.source"))
ctx:set("alert.target(>>)", INPUT:getraw("alert.target"))
ctx:set("alert.correlation_alert.alertident(>>).alertident", INPUT:getraw("alert.messageid"))
ctx:set("alert.correlation_alert.alertident(-1).analyzerid", INPUT:getAnalyzerid())
if ctx:CheckAndDecThreshold() then
ctx:set("alert.classification.text", "Brute force attack")
ctx:set("alert.correlation_alert.name", "Multiple failed login")
ctx:set("alert.assessment.impact.severity", "high")
ctx:set("alert.assessment.impact.description",
"Multiple failed attempts have been made to login to a user account")
ctx:alert()
ctx:del()
end
end
end
end
-- Detect brute force attempt by user
-- This rule looks for all classifications that match login or authentication
-- attempts, and detects when they exceed a certain threshold.
local userid = INPUT:get("alert.target(*).user.user_id(*).name");
if is_failed_auth and userid then
for i, user in ipairs(userid) do
local ctx = Context.update("BRUTE_U_" .. user, { expire = 120, threshold = 2 })
ctx:set("alert.source(>>)", INPUT:getraw("alert.source"))
ctx:set("alert.target(>>)", INPUT:getraw("alert.target"))
ctx:set("alert.correlation_alert.alertident(>>).alertident", INPUT:getraw("alert.messageid"))
ctx:set("alert.correlation_alert.alertident(-1).analyzerid", INPUT:getAnalyzerid())
if ctx:CheckAndDecThreshold() then
ctx:set("alert.classification.text", "Brute force attack")
ctx:set("alert.correlation_alert.name", "Multiple failed login")
ctx:set("alert.impact.severity", "high")
ctx:set("alert.impact.description", "Multiple failed attempts have been made to login to a user account")
ctx:alert()
ctx:del()
end
end
end
end -- function brute_force(INPUT)
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
215344686ab97988339109b9812b21f3
>
files
>
3
