Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Potential SSH Brute Force Detected on Privileged Account #3562

Open
willem-dhaese opened this issue Apr 2, 2024 · 3 comments
Open

[Rule Tuning] Potential SSH Brute Force Detected on Privileged Account #3562

willem-dhaese opened this issue Apr 2, 2024 · 3 comments
Assignees
@Aegrah
Labels
community Rule: Tuning tweaking or tuning an existing rule

Comments

@willem-dhaese
Copy link

willem-dhaese commented Apr 2, 2024
edited

Link to rule

For some reason I cannot find it in https://www.elastic.co/guide/en/security/current/prebuilt-rules.html

I do find this => https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-3-3-potential-ssh-brute-force-detected-on-privileged-account.html

Description

Most of our admin accounts have adm in them, but not admin. This makes this rule not applicable. Please consider update of admin to adm.

sequence by host.id, source.ip with maxspan=10s
  [authentication where host.os.type == "linux" and event.action  in ("ssh_login", "user_login") and
   event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and
   source.ip != "::" and  user.name : ("*root*" , "*admin*")] with runs=3

Update to:

sequence by host.id, source.ip with maxspan=10s
  [authentication where host.os.type == "linux" and event.action  in ("ssh_login", "user_login") and
   event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and
   source.ip != "::" and  user.name : ("*root*" , "*adm*")] with runs=3
@willem-dhaese willem-dhaese added the Rule: Tuning tweaking or tuning an existing rule label Apr 2, 2024
@Aegrah
Copy link
Contributor

Aegrah commented Apr 3, 2024

@willem-dhaese I would like your take on this - do you feel like this rule does bring additional benefits to your organization in combination with the other brute force attack rules that we have for Linux? Because deprecating this one has been on my mind for a while.

I am fine with your suggestion; but not sure whether this rule specifically adds many benefits over the rest of our ruleset. WDYT?

@willem-dhaese
Copy link
Author

@Aegrah Thanks for your answer. I did notice there seem quite a bit of SSH login related rules.

image

I guess there is room for consolidation and optimalization here.

As always, the question is how far will and can we go and how much noise are we willing to endure..

The thing is that the rule "Potential SSH Brute Force Detected on Privileged Account" works on auditbeat-* and the others only on logs-system.auth-*

"Potential Internal Linux SSH Brute Force Detected" would not have triggered, as we are not on Elastic Agent yet.

@willem-dhaese
Copy link
Author

@Aegrah This rule has the same issue => https://www.elastic.co/guide/en/security/current/privileged-account-brute-force.html

We could also greatly benefit from changing user.name *admin* to *adm*.

Please let me know if this is something that Elastic is willing to change. If not, also good, then we will duplicate the rules and edit them ourselves.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Aegrah Aegrah

Labels
community Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Aegrah @willem-dhaese