Alert if brute force detected


(alias) #1

Hi,

I parse the sshd log. I’ve the app_status field with “Failed password” for example.
I want to create an alert “brute force” with agreggation based:

If a sshd log with “Failed password” in app_status field have 5 hits in 3 minutes, an alert is triggered.

Is it possible ?

In the agreggation alert, there is ‘count’ based agreggation without checks with value’s field.

Thanks


(alias) #2

Solved with stream & Alert. But only simple agreggation alert.


(Megan) #3

You can look at additional 3rd party alert plugins such as https://github.com/airbus-cyber/graylog-plugin-aggregation-count


(alias) #4

Thanks @megan201296 , I check this