FOR A PROJECT
Hey I got a task to create a Suricata rule to detect the failed login credentials while logging to Wazuh, can anyone help me to fix it please.
Thank you
7 Replies
Really need help
hello?
Devil is in the details, can you show me the rule?
@E-Man hai
hey So ya , I need a rule in suricata to show an alert of succesfull login
that login should be show as an security alerts in wazuh dashboard
all the rules i added is not triggering idk why
Please remember that we don't have access to your configuration. It would be helpful to provide screenshots or more precise details.
Are you sure Suricata is forwarding logs to Wazuh? It’s been a little while since I’ve used the tools but generally with detections there are 3 possible issues.
Telemetry- Are you receiving the logs in the correct location?
Taxonomy- Are the logs correctly tagged and processed.
Logic- is the rule logic correct
You mentioned a successful login... To what service? If I understand your question, you haven't written the rule?
Here's an example rule for SSH:
Without more details it's hard to assertain where your problem lies. Like E-Man suggested, it could be an issue at any point of the process. To fix it, you need to verify every link of the "chain."
ok so my job is to create rules for scada bra which is integrated with wazuh
suricata as installed on cada br (ip of scada br is 192.168.0.110)
so when i login to by local web server having an ip of scada br i need a rule that triggers an alert of login
also a rule when we log out
multiple failed attempt