Hi!
I would like to know if it is possible to obtain the basic info (device, source ip, etc) of “Password spraying” attacker that attempts to access a Linux machine through SSH or a Windows one through RDP.
Thanks for your help!
Can your high level attack description be translated to the Suricata rule language? If that is the case then yes, Suricata will log the attackers source IP among other things.
As most password authentications over the network are encrypted you would need a heuristics based approach. A rule with the threshold keyword looking for many established connections between the same IP addresses in a short time frame might do the trick.