MySQL dictionary attack rule

Hi, does anyone know of a meerkat rule that detects a number of failed authentications in a number of times in MySQL? It is to detect dictionary attacks.

Hi, here is my rule to detect mysql brute force. you can try it, if you meet any issue please give me feedback

alert tcp any any -> any any (msg: "mysql traffic"; flow: to_client, established; content: "mysql_native_password"; flowbits: set, mysql.1000001; flowbits: noalert; classtype: bad-unknown; sid: 1000001; rev: 1;)
alert tcp any any -> any any (msg: "mysql login failed"; flow: to_client, established; pcre:"/Access\sdenied\sfor\suser\s'\S+'@'\S+'\s\(using\s\S+:\s\S+\)/"; flowbits: isset, mysql.1000001; flowbits: set, mysql.1000002; flowbits: noalert; classtype: misc-activity; sid: 1000002; rev: 1;)
alert tcp any any -> any any (msg: "mysql bruteforce"; flow: to_client, established; pcre:"/Access\sdenied\sfor\suser\s'\S+'@'\S+'\s\(using\s\S+:\s\S+\)/"; flowbits: isset, mysql.1000002; threshold: type threshold, track by_src, count 200, seconds 30; classtype: misc-activity; sid: 1000003; priority: 3; rev: 1; metadata: description failed login 200 in 30 seconds;)
1 Like

Thank you very much for everything, it works.