Gamerboy
Gamerboy2mo ago

FOR A PROJECT

Hey I got a task to create a Suricata rule to detect the failed login credentials while logging to Wazuh, can anyone help me to fix it please. Thank you
7 Replies
Gamerboy
Gamerboy2mo ago
Really need help hello?
E-Man
E-Man2mo ago
Devil is in the details, can you show me the rule?
Gamerboy
Gamerboy2mo ago
@E-Man hai hey So ya , I need a rule in suricata to show an alert of succesfull login that login should be show as an security alerts in wazuh dashboard all the rules i added is not triggering idk why
_null
_null2mo ago
Please remember that we don't have access to your configuration. It would be helpful to provide screenshots or more precise details.
E-Man
E-Man2mo ago
Are you sure Suricata is forwarding logs to Wazuh? It’s been a little while since I’ve used the tools but generally with detections there are 3 possible issues. Telemetry- Are you receiving the logs in the correct location? Taxonomy- Are the logs correctly tagged and processed. Logic- is the rule logic correct
_null
_null2mo ago
You mentioned a successful login... To what service? If I understand your question, you haven't written the rule? Here's an example rule for SSH:
alert tcp any any -> any 22 (msg:"Failed SSH Login Attempt"; flow:to_server,established; content:"SSH-"; depth:4; content:"Failed password"; nocase; classtype:attempted-recon; sid:1000001; rev:1;)
alert tcp any any -> any 22 (msg:"Failed SSH Login Attempt"; flow:to_server,established; content:"SSH-"; depth:4; content:"Failed password"; nocase; classtype:attempted-recon; sid:1000001; rev:1;)
Without more details it's hard to assertain where your problem lies. Like E-Man suggested, it could be an issue at any point of the process. To fix it, you need to verify every link of the "chain."
Gamerboy
Gamerboy2mo ago
ok so my job is to create rules for scada bra which is integrated with wazuh suricata as installed on cada br (ip of scada br is 192.168.0.110) so when i login to by local web server having an ip of scada br i need a rule that triggers an alert of login also a rule when we log out multiple failed attempt