Gamerboy
Gamerboy4mo ago

FOR A PROJECT

Hey I got a task to create a Suricata rule to detect the failed login credentials while logging to Wazuh, can anyone help me to fix it please. Thank you
7 Replies
Gamerboy
Gamerboy4mo ago
Really need help hello?
E-Man
E-Man4mo ago
Devil is in the details, can you show me the rule?
Gamerboy
Gamerboy4mo ago
@E-Man hai hey So ya , I need a rule in suricata to show an alert of succesfull login that login should be show as an security alerts in wazuh dashboard all the rules i added is not triggering idk why
_null
_null4mo ago
Please remember that we don't have access to your configuration. It would be helpful to provide screenshots or more precise details.
E-Man
E-Man4mo ago
Are you sure Suricata is forwarding logs to Wazuh? It’s been a little while since I’ve used the tools but generally with detections there are 3 possible issues. Telemetry- Are you receiving the logs in the correct location? Taxonomy- Are the logs correctly tagged and processed. Logic- is the rule logic correct
_null
_null4mo ago
You mentioned a successful login... To what service? If I understand your question, you haven't written the rule? Here's an example rule for SSH: 
alert tcp any any -> any 22 (msg:"Failed SSH Login Attempt"; flow:to_server,established; content:"SSH-"; depth:4; content:"Failed password"; nocase; classtype:attempted-recon; sid:1000001; rev:1;)
alert tcp any any -> any 22 (msg:"Failed SSH Login Attempt"; flow:to_server,established; content:"SSH-"; depth:4; content:"Failed password"; nocase; classtype:attempted-recon; sid:1000001; rev:1;)
Without more details it's hard to assertain where your problem lies. Like E-Man suggested, it could be an issue at any point of the process. To fix it, you need to verify every link of the "chain."
Gamerboy
Gamerboy4mo ago
ok so my job is to create rules for scada bra which is integrated with wazuh suricata as installed on cada br (ip of scada br is 192.168.0.110) so when i login to by local web server having an ip of scada br i need a rule that triggers an alert of login also a rule when we log out multiple failed attempt
More Posts
How to access my VM when setting up my virtual router?I am trying to understand how I'm supposed to access my VM and also setup my pfsense router. My issuBeef over WANso i have a practical where i have to setup Beef over WAN so i use ssh -R 80:localhost:3000 nokey@losolution for cgnati need a solution to port forward from home server running win11 over network while connected to a cManaged Devices from Microsoft to Google WorkspaceDoes anybody have any experience migrating a company from Microsoft to Google Workspace? The companyTestBedMy group has been given a task to make a responsive testbed. My test bed consists of qubo smart bellHelp With My Dissertation Project.Hey guys just need some help with my project. Basically what i need is a lot of malware files or virVirtual Box kali linux issuehelp me with it plsNetwork Helpso i have a rgh xbox 360 and i host a stealth server( for xbox 360) and this dude sends thousands ofI need help! on OT/ICSHello, I need some help. If anyone knows about Operational Technology (OT) and Industrial Control Syissue with flutter code