isaackays007/splunk-ssh-bruteforce-lab
GitHub: isaackays007/splunk-ssh-bruteforce-lab
基于 Splunk 的 SSH 暴力破解检测工程实验,涵盖日志采集、SPL 查询、MITRE ATT&CK 映射与风险评分的完整 SIEM 管线。
Stars: 0 | Forks: 0
# Splunk SSH 暴力破解检测实验
## 1. SSH 暴力破解模拟(Linux Forwarder)
### 概述
为了给 SIEM 检测工程生成真实的身份验证失败日志,我在我的 Linux Universal Forwarder 虚拟机上模拟了一次暴力破解攻击。这些事件被转发到 Splunk Enterprise 进行检测。
### 执行的命令
```
for i in {1..10}; do ssh fakeuser@localhost; done
## 步骤 2 — 针对 SSH Brute-Force 尝试的 SPL 检测逻辑
### SPL 查询 — 基础 SSH Brute-Force 检测
```spl
index=linux_logs sourcetype=linux:auth "Failed password"
| stats count BY src_ip user
| where count >= 5
| sort -count
### SPL 查询 – 时间窗口 SSH Brute-Force 检测
```spl
index=linux_logs sourcetype=linux:auth "Failed password"
| bin _time span=1m
| stats count BY src_ip user _time
| where count >= 5
| sort -_time -count
### 此检测的功能
- Identifies repeated SSH authentication failures from the same source IP.
- Flags brute-force behavior when failures reach a threshold of 5 attempts.
- Uses a 1‑minute time window to reduce false positives and highlight real attack patterns.
- Produces clean, sortable output for dashboards, correlation searches, and alerting.
### 使用的字段
| Field | Description |
|---------|--------------------------------------------------|
| src_ip | Source IP attempting SSH login |
| user | Username targeted |
| _time | Timestamp of failed attempt |
| count | Number of failures per IP/user |
### 检测阈值
This detection triggers when a source IP generates **5 or more failed SSH login attempts** within a 1‑minute window.
The threshold can be tuned based on environment noise or authentication patterns.
## 步骤 3 — Correlation Search 和风险评分
### Correlation Search — SSH Brute-Force 检测 (MITRE ATT&CK T1110)
```spl
index=linux_logs sourcetype=linux:auth "Failed password"
| bin _time span=1m
| stats count BY src_ip user _time
| where count >= 5
| eval severity="high", tactic="Credential Access", technique="T1110"
| table _time src_ip user count severity tactic technique
### 风险评分增强
```spl
| eval risk_object=src_ip
| eval risk_score=20
| eval risk_message="SSH brute-force activity detected"
| table _time src_ip user count severity tactic technique risk_object risk_score risk_message
### MITRE ATT&CK 映射 (T1110 — Brute Force)
This detection aligns with **MITRE ATT&CK Technique T1110 – Brute Force**, under the *Credential Access* tactic.
Attackers often attempt repeated SSH login failures to guess valid credentials.
By tagging the detection with tactic and technique values, the event becomes compatible with:
- MITRE dashboards
- Threat intelligence overlays
- Risk-Based Alerting (RBA)
- Correlation search frameworks
### 此 Correlation Search 的工作原理
This correlation search combines:
- SSH authentication failure logs
- A 1‑minute brute‑force detection window
- MITRE ATT&CK mapping
- Risk scoring enrichment
The result is a fully enriched security event that can feed:
- Enterprise Security correlation searches
- Risk-Based Alerting (RBA)
- Threat dashboards
- SOC triage workflows
This is the same structure used in real Splunk ES environments.
```
标签:Splunk SPL, 子域枚举, 安全运营, 扫描框架