Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Detection type: bruteforce alerts #4

Open
ManofWax opened this issue Feb 24, 2023 · 0 comments
Open

New Detection type: bruteforce alerts #4

ManofWax opened this issue Feb 24, 2023 · 0 comments
Labels
detection rule feature Something new to be added

Comments

@ManofWax
Copy link
Contributor

Implement a new detection logic to detect bruteforce attemps.

the new detection should be a new celery task scheduled indipendently on celery_beat config. This task should implement two different types of alerts:

This task should be run every 30 minutes

Bruteforce detected on user: {username}

Query logins by aggregating on username: if there is at least MAX_LOGIN_BRUTEFORCE (MAX_TRIES should be configurable in the code) failed logins in the last hour (the task is run every 30 minutes so there is an overlap to detect bruteforce that are longer than running time of the task) a new alert is generated

Bruteforce detected from IP

Query logins by aggregation by source ip: if there is at last MAX_IP_BRUTEFORCE failed logins in the last hour a new alert is generated. This logins could span across multiple usernames, they should be reported on the alert to allow better understanding of the activity
@ManofWax ManofWax added feature Something new to be added detection rule labels Feb 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
detection rule feature Something new to be added
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ManofWax