I'm actually looking for both instances -- instances where there are X number of failed logons to Y+ number of legitimate accounts (purpose of rule #100440) and X number of failed attempts to logon to non-existent accounts (rule #100445). The sub status in those rules are indicative of either a bad password or a non-existent account.
Unfortunately keeping a white-list of accounts is not feasible with thousands of user accounts which are in a constant state of flux. A little more background -- this initially stemmed from a recent penetration test we had where we found we were unable to detect their password spray attack against legitimate accounts. I'm now trying to create an alert within OSSEC for this type of thing. Alternatively I may have to look at what I can do within Splunk (the backend of my OSSEC). On Fri, Jan 11, 2019 at 11:56 AM Brent Morris <brent.mor...@gmail.com> wrote: > Bruce - Do the password spraying attacks have correct user names? Or do > they have mostly incorrect user names and occasionally get lucky? > > One approach would be to create a list of correct user names and block > attackers when they type in an incorrect user name. I've done something > like this on URLs, so external connections to a blacklist of URLs will > cause an active response. > > On Wednesday, January 9, 2019 at 12:27:27 PM UTC-8, Bruce Westbrook wrote: >> >> I'm looking for a way to detect password spraying of accounts, but >> without triggering a bunch of false positives from normal user >> fat-fingering activity. Before I begin rebuilding the wheel, has anyone >> already built solid password spraying detection rules that they can share? >> At this point it's just for Active Directory but the same logic may be >> ported to other areas like web logs. >> >> Otherwise, I'm stuck with trying to get OSSEC to understand how to detect >> bad passwords against multiple/different accounts. There isn't a way that >> I know to do a "NOT same_user" for multiple matches, so my testing still >> ends up triggering for bad passwords on just one account. Here's my >> working example so far: >> >> <rule id="100440" level="10" frequency="9" timeframe="3600"> >> <if_matched_sid>18130</if_matched_sid> >> <same_source_ip /> >> <regex>Status:\t*\s*0xc000006d\t*\s*Sub Status:\t*\s*0xc000006a >> </regex> >> <description>ALERT: Probable password spraying</description> >> </rule> >> >> >> <rule id="100445" level="10" frequency="4" timeframe="3600"> >> <if_matched_sid>18130</if_matched_sid> >> <same_source_ip /> >> <regex>Status:\t*\s*0xc000006d\t*\s*Sub Status:\t*\s*0xc0000064 >> </regex> >> <description>ALERT: Probable account enumeration attempt >> </description> >> </rule> >> >> >> While these do trigger for bad passwords against multiple accounts, they >> also trigger for just a single account with multiple bad passwords being >> keyed by a legitimate user. How can I tell OSSEC to match only when it >> sees a bad password against multiple different accounts? Basically, <! >> same_user />? >> >> Thoughts / suggestions? >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
