Brute Force Access Behavior Detected-检测暴力破解访问行为
攻击者一般会使用自动化脚本组合出常见的用户名和密码,即字典,再结合软件burpsuite的intruder功能进行暴力破解。
三种常见形式:
Splunk查询:
| from datamodel:"Authentication"."Authentication" | stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium
earliest=rt-65m@m latest=rt+5m@m
三种常见形式:
- 对固定账号的密码进行暴力破解。
- 在得知账号具有规律性或者其它方式下已获得大量账号的前提下,使用固定密码进行暴力破解。
- 使用网上流传的账号密码库进行撞库攻击。
Splunk查询:
| from datamodel:"Authentication"."Authentication" | stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium
earliest=rt-65m@m latest=rt+5m@m
