Detecting Windows Attacks with Splunk - Detecting RDP Brute Force Attacks

Question of this section is:
Construct a Splunk query targeting the “ssh_bruteforce” index and the “bro:ssh:json” sourcetype. The resulting output should display the time bucket, source IP, destination IP, client, and server, together with the cumulative count of authentication attempts where the total number of attempts surpasses 30 within a 5-minute time window. Enter the IP of the client that performed the SSH brute attack as your answer.

By using the below query we can see there are 17 events in total:
index=“ssh_bruteforce” sourcetype=“bro:ssh:json” latest=now

So, obviously if we search for 30+ attempts within a 5-minute time window we get 0 results.

There is only one source IP address in the events but I think the question is wrong.

Am I wrong?

I had the same problem.

Even with auth_attempts > 1

I had 2 results. 1 with 5 and 1 with 12

There has to be an issue with the question.

If you check out the fields available you’ll find an auth_attempts field. I believe the question is asking us to add up the auth_attempts within that 5 min time window and then check if the total is more than 30.

Dk if you solved it but this query works index=“ssh_bruteforce” sourcetype=“bro:ssh:json” | stats count as auth_attempts by src_ip, dest_ip
| table src_ip, dest_ip, auth_attempts
The answer is the src_ip

1 Like