"filter": {"$and": [{"Category" : "Attempt.Login"}, {"Description": {"$eq": "BlockList.de: IP reported as having run attacks on Joomlas, Wordpress and other Web-Logins with Brute-Force Logins"}}, {"Description": {"$eq": "Web form authentication attack"}}]} !!! 'Attempt.Login:Test_+++_External:Relay_+++_*__+++_BlockList_x_IP_reported_as_having_run_attacks_on_Joomlas,_Wordpress_and_other_Web-Logins_with_Brute-Force_Logins': 6395, !!! 'Attempt.Login:Test_+++_Relay_+++_*__+++_Web_form_authentication_attack': 29, LABEL_CZ: Pokus o útok proti webovému serveru LABEL_EN: Web form authentication attack SEVERITY: 2 (Za středně nebezpečné považujeme (útoky na SSH a RDP)) URL: https://csirt.cesnet.cz/cs/services ### Nic hmatatelneho, nejlepe "Target.Proto": "http" 'Category': ['Attempt.Login', 'Test'], 'Confidence': 1, 'Description': 'BlockList.de: IP reported as having run attacks on ' 'Joomlas, Wordpress and other Web-Logins with Brute-Force ' 'Logins', 'DetectTime': b'\xdb4-\xc1\x00\x00\x00\x00', 'Format': 'IDEA0', 'ID': '69412746-46da-4446-97ea-f64bf93eff39', 'Node': [ {'Name': 'cz.cesnet.mentat.warden_filer', 'Type': ['Relay']}, { 'AggrWin': '00:05:00', 'Name': 'cz.cesnet.supplier.intelmq', 'SW': ['IntelMQ'], 'Type': ['Relay', 'External']}], 'Source': [ { 'IP4': [ { 'ip': b'[\xc8\x0cN', 'max': b'[\xc8\x0cN', 'min': b'[\xc8\x0cN'}]}], '_CESNET': {'StorageTime': 1468641099}, '_id': '69412746-46da-4446-97ea-f64bf93eff39', ### Podobne... nejlepe doplnit: "Target.Proto": "http" "Category": [ "Attempt.Login", "Test" ], "Description": "Web form authentication attack", "DetectTime": "2016-06-12 13:45:00Z", "EventTime": "2016-06-12 13:44:14Z", "Format": "IDEA0", "ID": "b8d4cfe7-c240-4636-8ed3-7950e2dbf527", "Node": [ { "Name": "cz.cesnet.mentat.warden_filer", "Type": [ "Relay" ] }, { "Name": "org.liberouter.collector_invea.flowmonads", "Type": [ "Relay" ] } ], "Target": [ { "IP4": [ "95.67.12.67" ], "Port": [ 80 ], "Proto": [ "TCP" ] } ], # ----------------------- TEST: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Port" : 3389}, {"Description": {"$ne": "Multiple unsuccessful login attempts on MS-WBT-SERVER"}}, {"Description": {"$ne": "RDP attack"}}]} FILTER: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Port" : 3389}]} OK !!! 'Attempt.Login:Test_+++_Flow:Statistical_+++_*__+++_Multiple_unsuccessful_login_attempts_on_MS-WBT-SERVER': 186332, OK !!! 'Attempt.Login:Test_+++_Relay_+++_*__+++_RDP_attack': 31, LABEL_CZ: Pokus o neoprávněné připojení k RDP serveru LABEL_EN: Unauthorized attempts to connect to the RDP server SEVERITY: 2 (Za středně nebezpečné považujeme (útoky na SSH a RDP)) URL: https://csirt.cesnet.cz/cs/services TEST: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Proto" : "telnet"}, {"Description": {"$ne": "Multiple unsuccessful login attempts on TELNET"}}]} FILTER: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Proto" : "telnet"}]} !!! 'Attempt.Login:Test_+++_Flow:Statistical_+++_*__+++_Multiple_unsuccessful_login_attempts_on_TELNET': 509505, LABEL_CZ: Pokus o neoprávněné připojení k TELNET serveru LABEL_EN: Unauthorized attempts to connect to the TELNET server SEVERITY: 2 (Za středně nebezpečné považujeme (útoky na SSH a RDP)) URL: https://csirt.cesnet.cz/cs/services TEST: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Proto" : {"$ne": "ssh"}}, {"Source.Proto" : "ssh"}, {"Description": {"$ne": "Bruteforce"}}]} FILTER: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Proto" : {"$ne": "ssh"}}, {"Source.Proto" : "ssh"}]} OK !!! 'Attempt.Login_+++_External_+++_*__+++_Bruteforce': 161, LABEL_CZ: Pokus o neoprávněné připojení k SSH serveru LABEL_EN: Unauthorized attempts to connect to the SSH server SEVERITY: 2 (Za středně nebezpečné považujeme (útoky na SSH a RDP)) URL: https://csirt.cesnet.cz/cs/services TEST: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Proto" : "ssh"}, {"Description": {"$ne": "Multiple unsuccessful login attempts on SSH"}}, {"Description": {"$ne": "SSH dictionary/bruteforce attack"}}, {"Note": {"$ne": "SSH login attempt"}}, {"Description": {"$ne": "SSH attack"}}]} FILTER: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Proto" : "ssh"}]} OK !!! 'Attempt.Login_+++_*__+++_*__+++_*': 29, Ukazka spada (overeno!) pod SSH bruteforce... "Note: SSH login attempt" OK !!! 'Attempt.Login_+++_Flow:Statistical_+++_*__+++_SSH_dictionary_bruteforce_attack': 189255, OK !!! 'Attempt.Login:Test_+++_Relay_+++_*__+++_SSH_attack': 44, OK !!! 'Attempt.Login:Test_+++_Flow:Statistical_+++_*__+++_SSH_dictionary_bruteforce_attack': 35849, OK !!! 'Attempt.Login:Test_+++_Flow:Statistical_+++_*__+++_Multiple_unsuccessful_login_attempts_on_SSH': 474101, LABEL_CZ: Pokus o neoprávněné připojení k SSH serveru LABEL_EN: Unauthorized attempts to connect to the SSH server SEVERITY: 2 (Za středně nebezpečné považujeme (útoky na SSH a RDP)) URL: https://csirt.cesnet.cz/cs/services