So, I've forwaded the auth logs of my web application to graylog, and now I want to implement some alerts for brutefroce. Each record sent from the webapp to Graylog contains some information, among which username and hashed password. I would like to find with a query for the alerts that count the unique combination of the fields login and hashed_password.
I know how to setup the alerts, but can't find a working query.
For example, I've this logs:
... login=foo hashed_password=XXXX ...
... login=foo hashed_password=XXXX ...
... login=foo hashed_password=XXXX ...
... login=foo hashed_password=YYYY ...
... login=foo hashed_password=ZZZZ ...
... login=foo hashed_password=AAAA ...
... login=foo hashed_password=AAAA ...
... login=foo hashed_password=BBBB ...
I would like to find a query print only one time each combination of this two fields. I've tried with many tries but without success. From the log aboce, it should print only:
... login=foo hashed_password=XXXX ...
... login=foo hashed_password=YYYY ...
... login=foo hashed_password=ZZZZ ...
... login=foo hashed_password=AAAA ...
... login=foo hashed_password=BBBB ...
Some of the queries I've tried are the following:
auth:"error" AND distinct(login+hashed_password)
auth:"error" AND count(distinct(login+hashed_password))
auth:"error" AND count(login(hashed_password))
I'm running on a graylog 4.0 version and Elastic Oss 7.10, all the servers are Centos7
I found a solution to my problem: I just grouped the result from the query by IP Source and logins, then I added this condition to create events:
card(hashed_password) > 15
Same things with similar kind allarms, where i put these conditions:
[count(login) > 100 AND [card(IP_Source) == 1 AND card(login) == 1 AND card(hashed_password) == 1]]
Where I grouped by the same voices.