Permalink
Browse files

Temp disabled password spray rules...

  • Loading branch information...
Champ Clark III
Champ Clark III committed Sep 18, 2018
1 parent 15bb59c commit eecd22b5d072f87edcc324169d56fadf302d7357
Showing with 3 additions and 3 deletions.
  1. +3 −3 windows-auth.rules
@@ -275,13 +275,13 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] LDAP authenti
# Configure alerts for >50 4625 events within 1 minute.
# 0xC000006A user name is correct but the password is wrong
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [50/1]"; content: "0xC000006A"; nocase; content: " 4625|3a| "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 50, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003798; sid:5003798; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [50/1]"; content: "0xC000006A"; nocase; content: " 4625|3a| "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 50, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003798; sid:5003798; rev:3;)
# Configure alerts for >50 4771 events with failure code=0x18 within 1 minute.
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [50/1]"; content: "0x18"; nocase; content: " 4771|3a| "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 50, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003799; sid:5003799; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [50/1]"; content: "0x18"; nocase; content: " 4771|3a| "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 50, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003799; sid:5003799; rev:3;)
# Configure alerts for >100 4648 events on workstations within 1 minute.
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [100/1]"; content: " 4648|3a| "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 100, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003800; sid:5003800; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [100/1]"; content: " 4648|3a| "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 100, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003800; sid:5003800; rev:3;)

0 comments on commit eecd22b

Please sign in to comment.