Hi, all. I was looking into writing some basic correlation rules to
detect excessive login attempts, and I noticed that it'd be really handy
to have a rule option that could match multiple events by the same user.
For example, I could do something like:
<rule id="99999" frequency="10" timeframe="300" ignore="240">
<if_group>authentication_success</if_group>
<same_user />
<description>A single user generated too many logins</description>
</rule>
NOTE: that's untested, and I just wrote it for this email, but I think
you get the idea. This would catch attacks where an intruder has
captured a single user's login credentials and wants to try them
everywhere on site, just to see what he has access to. Yeah, dumb
idea, but we've seen it happen.
David
