isaackays007/splunk-ssh-bruteforce-lab

GitHub: isaackays007/splunk-ssh-bruteforce-lab

基于 Splunk 的 SSH 暴力破解检测工程实验,涵盖日志采集、SPL 查询、MITRE ATT&CK 映射与风险评分的完整 SIEM 管线。

Stars: 0 | Forks: 0

# Splunk SSH 暴力破解检测实验 ## 1. SSH 暴力破解模拟(Linux Forwarder) ### 概述 为了给 SIEM 检测工程生成真实的身份验证失败日志,我在我的 Linux Universal Forwarder 虚拟机上模拟了一次暴力破解攻击。这些事件被转发到 Splunk Enterprise 进行检测。 ### 执行的命令 ``` for i in {1..10}; do ssh fakeuser@localhost; done ## 步骤 2 — 针对 SSH Brute-Force 尝试的 SPL 检测逻辑 ### SPL 查询 — 基础 SSH Brute-Force 检测 ```spl index=linux_logs sourcetype=linux:auth "Failed password" | stats count BY src_ip user | where count >= 5 | sort -count ### SPL 查询 – 时间窗口 SSH Brute-Force 检测 ```spl index=linux_logs sourcetype=linux:auth "Failed password" | bin _time span=1m | stats count BY src_ip user _time | where count >= 5 | sort -_time -count ### 此检测的功能 - Identifies repeated SSH authentication failures from the same source IP. - Flags brute-force behavior when failures reach a threshold of 5 attempts. - Uses a 1‑minute time window to reduce false positives and highlight real attack patterns. - Produces clean, sortable output for dashboards, correlation searches, and alerting. ### 使用的字段 | Field | Description | |---------|--------------------------------------------------| | src_ip | Source IP attempting SSH login | | user | Username targeted | | _time | Timestamp of failed attempt | | count | Number of failures per IP/user | ### 检测阈值 This detection triggers when a source IP generates **5 or more failed SSH login attempts** within a 1‑minute window. The threshold can be tuned based on environment noise or authentication patterns. ## 步骤 3 — Correlation Search 和风险评分 ### Correlation Search — SSH Brute-Force 检测 (MITRE ATT&CK T1110) ```spl index=linux_logs sourcetype=linux:auth "Failed password" | bin _time span=1m | stats count BY src_ip user _time | where count >= 5 | eval severity="high", tactic="Credential Access", technique="T1110" | table _time src_ip user count severity tactic technique ### 风险评分增强 ```spl | eval risk_object=src_ip | eval risk_score=20 | eval risk_message="SSH brute-force activity detected" | table _time src_ip user count severity tactic technique risk_object risk_score risk_message ### MITRE ATT&CK 映射 (T1110 — Brute Force) This detection aligns with **MITRE ATT&CK Technique T1110 – Brute Force**, under the *Credential Access* tactic. Attackers often attempt repeated SSH login failures to guess valid credentials. By tagging the detection with tactic and technique values, the event becomes compatible with: - MITRE dashboards - Threat intelligence overlays - Risk-Based Alerting (RBA) - Correlation search frameworks ### 此 Correlation Search 的工作原理 This correlation search combines: - SSH authentication failure logs - A 1‑minute brute‑force detection window - MITRE ATT&CK mapping - Risk scoring enrichment The result is a fully enriched security event that can feed: - Enterprise Security correlation searches - Risk-Based Alerting (RBA) - Threat dashboards - SOC triage workflows This is the same structure used in real Splunk ES environments. ```
标签:Splunk SPL, 子域枚举, 安全运营, 扫描框架