For the first use case, I think you should be able to use "same_source_ip" and "not_same_user" options (I would probably define a frequency threshold too).
For other cases I guess it all depends on the logs you want to analyze. Do you have samples? On Wed, Mar 23, 2016 at 5:51 AM, <namobuddhaon...@gmail.com> wrote: > Hello Group, > > Is there a way to create a rule that will filter for login attempts to > multiple accounts from the same IP? The goal is to find an attacker whose > gained a foothold attempting password spraying which would fly under the > password policy radar if they do it slowly enough. > > I'm also looking for rules for the following if anyone has an idea of how > to write them. > > -An attacker using Powershell Empire (commonly used to own Active > Directory network) > -Scanning Activity > -Long Duration Connections (A possible sign of an advanced persistant > connection) > -Concurrent Logins > > > Thanks, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.