policy/protocols/ssh/detect-bruteforcing.bro
-
SSH
Detect hosts which are doing password guessing attacks and/or password
bruteforcing over SSH.
Detailed Interface
Options
-
SSH::guessing_timeout
-
The amount of time to remember presumed non-successful logins to
build a model of a password guesser.
-
SSH::ignore_guessers
-
This value can be used to exclude hosts or entire networks from being
tracked as potential “guessers”. The index represents
client subnets and the yield value represents server subnets.
-
SSH::password_guesses_limit
-
The number of failed SSH connections before a host is designated as
guessing passwords.