|
|
@@ -275,13 +275,13 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] LDAP authenti |
|
|
# Configure alerts for >50 4625 events within 1 minute.
|
|
|
# 0xC000006A user name is correct but the password is wrong
|
|
|
|
|
|
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [50/1]"; content: "0xC000006A"; nocase; content: " 4625|3a| "; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 50, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003798; sid:5003798; rev:2;)
|
|
|
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [50/1]"; content: "0xC000006A"; nocase; content: " 4625|3a| "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 50, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003798; sid:5003798; rev:3;)
|
|
|
|
|
|
# Configure alerts for >50 4771 events with failure code=0x18 within 1 minute.
|
|
|
|
|
|
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [50/1]"; content: "0x18"; nocase; content: " 4771|3a| "; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 50, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003799; sid:5003799; rev:2;)
|
|
|
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [50/1]"; content: "0x18"; nocase; content: " 4771|3a| "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 50, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003799; sid:5003799; rev:3;)
|
|
|
|
|
|
# Configure alerts for >100 4648 events on workstations within 1 minute.
|
|
|
|
|
|
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [100/1]"; content: " 4648|3a| "; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 100, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003800; sid:5003800; rev:2;)
|
|
|
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [100/1]"; content: " 4648|3a| "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 100, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003800; sid:5003800; rev:3;)
|
|
|
|
0 comments on commit
7d5b72e