FOR A PROJECT
Hey I got a task to create a Suricata rule to detect the failed login credentials while logging to Wazuh, can anyone help me to fix it please.
Thank you
Thank you
GReally need help
Ghello?
EDevil is in the details, can you show me the rule?
G@E-Man hai
Ghey So ya , I need a rule in suricata to show an alert of succesfull login
Gthat login should be show as an security alerts in wazuh dashboard
Gall the rules i added is not triggering idk why
_Please remember that we don't have access to your configuration. It would be helpful to provide screenshots or more precise details.
EAre you sure Suricata is forwarding logs to Wazuh? It’s been a little while since I’ve used the tools but generally with detections there are 3 possible issues.
Telemetry- Are you receiving the logs in the correct location?
Taxonomy- Are the logs correctly tagged and processed.
Logic- is the rule logic correct
Telemetry- Are you receiving the logs in the correct location?
Taxonomy- Are the logs correctly tagged and processed.
Logic- is the rule logic correct
_You mentioned a successful login... To what service? If I understand your question, you haven't written the rule?
Here's an example rule for SSH:
Without more details it's hard to assertain where your problem lies. Like E-Man suggested, it could be an issue at any point of the process. To fix it, you need to verify every link of the "chain."
Here's an example rule for SSH:
Without more details it's hard to assertain where your problem lies. Like E-Man suggested, it could be an issue at any point of the process. To fix it, you need to verify every link of the "chain."
Gok so my job is to create rules for scada bra which is integrated with wazuh
suricata as installed on cada br (ip of scada br is 192.168.0.110)
suricata as installed on cada br (ip of scada br is 192.168.0.110)
Gso when i login to by local web server having an ip of scada br i need a rule that triggers an alert of login
Galso a rule when we log out
Gmultiple failed attempt