Duplicity SID for GCP Login Failure

[jurkapavel]

Hello,

I've found duplicity signature ID for these two signatures:

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[GCP] Login Failure"; content: "cloudaudit.googleapis.com"; content: "google.login.LoginService.loginFailure"; threshold: type limit, track by_src&by_username, count 1, seconds 3600; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5005995; parse_src_ip: 1; sid: 5005995; rev:2;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[GCP] Login Failure - Brute Force [5/1]"; content: "cloudaudit.googleapis.com"; content: "google.login.LoginService.loginFailure"; parse_src_ip: 1; xbits: set,brute_force,track ip_src, expire 21600; after: track by_src, count 5, seconds 60; threshold: type suppress, track by_src&by_username, count 1, seconds 21600; classtype: brute-force; reference: url,wiki.quadrantsec.com/bin/view/Main/5005995; sid: 5005995; rev:2;)

If I want I'm not able to use them together. Is it possible to change it?

[GeekCharmiing]

Hi jurkapavel, thank you for bringing this to our attention. We have modified the SID for [GCP] Login Failure so it can be used. If you wish to use both of the GCP Login Failure rules together, you will want to uncomment (remove the #) the non-brute force rule.