SSH_Login_Brute_Force
ID: 100469
Description:
An aggregation rule to track login Failed events in SSHD logs.
This rule will trigger when the number of events per one (1) hour exceeds 3600. This indicates that the SSH Server (hostname) may be experiencing brute force attempts. This normally indicates the SSH server is reachable on the network from the outside.
Notes: Corresponding rule SSH Login Accepted tracks successful login
Repository: Group: SSHD Type: event
Default Status:
Enabled
Tags: | |
---|---|
SSH | SSHD |
Selector:
Query:
Filters:
Field | MUST hit |
---|---|
@event_type | @sshd |
@sshd.result | failed |
Field | MUST NOT hit |
---|---|
Behavior Rule:
Key | Type | Behavior Category |
---|---|---|
@source | asset | account login |
Risks:
Risks | Base Score | Dimension |
---|---|---|
Attributes:
Alias | Key |
---|---|
IP | @sshd.sip |
Country | @sshd._ip.country |
City | @sshd._ip.city |
Organization | @sshd._ip.org |
ISP | @sshd._ip.isp |
Username | @sshd.user |
Method | @sshd.method |
Server | @source |
Stream | @stream |
Correlation Rules:
Aggregation:
Name | Window | Field | AggType | Match |
---|---|---|---|---|
BruteForce | 1 hour | count | gt 3600 | |
Risks: | BANDWIDTH_ANOMALY |
History:
User | Date |
---|---|
ho*d@fluencysecurity.com | 2021 Oct 7 12:16:42 EDT |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)