policy/protocols/ssh/detect-bruteforcing.bro

SSH

Detect hosts which are doing password guessing attacks and/or password bruteforcing over SSH.

Namespace:SSH
Imports:base/frameworks/intel, base/frameworks/notice, base/frameworks/sumstats, base/protocols/ssh
Source File:/scripts/policy/protocols/ssh/detect-bruteforcing.bro

Summary

Redefinable Options

SSH::guessing_timeout: interval &redef The amount of time to remember presumed non-successful logins to build a model of a password guesser.
SSH::ignore_guessers: table &redef This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”.
SSH::password_guesses_limit: double &redef The number of failed SSH connections before a host is designated as guessing passwords.

Redefinitions

Intel::Where: enum  
Notice::Type: enum  

Detailed Interface

Redefinable Options

SSH::guessing_timeout
Type:interval
Attributes:&redef
Default:30.0 mins

The amount of time to remember presumed non-successful logins to build a model of a password guesser.

SSH::ignore_guessers
Type:table [subnet] of subnet
Attributes:&redef
Default:{}

This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”. The index represents client subnets and the yield value represents server subnets.

SSH::password_guesses_limit
Type:double
Attributes:&redef
Default:30.0

The number of failed SSH connections before a host is designated as guessing passwords.

Copyright 2016, The Bro Project. Last updated on January 10, 2019. Created using Sphinx 1.7.5.