policy/protocols/ssh/detect-bruteforcing.bro

SSH

Detect hosts which are doing password guessing attacks and/or password bruteforcing over SSH.

Namespace:SSH
Imports:base/frameworks/intel, base/frameworks/notice, base/frameworks/sumstats, base/protocols/ssh
Source File:/scripts/policy/protocols/ssh/detect-bruteforcing.bro

Summary

Options

SSH::guessing_timeout: interval &redef The amount of time to remember presumed non-successful logins to build a model of a password guesser.
SSH::ignore_guessers: table &redef This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”.
SSH::password_guesses_limit: double &redef The number of failed SSH connections before a host is designated as guessing passwords.

Redefinitions

Intel::Where: enum  
Notice::Type: enum  

Detailed Interface

Options

SSH::guessing_timeout
Type:interval
Attributes:&redef
Default:30.0 mins

The amount of time to remember presumed non-successful logins to build a model of a password guesser.

SSH::ignore_guessers
Type:table [subnet] of subnet
Attributes:&redef
Default:{}

This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”. There are cases where the success heuristic fails and this acts as the whitelist. The index represents client subnets and the yield value represents server subnets.

SSH::password_guesses_limit
Type:double
Attributes:&redef
Default:30.0

The number of failed SSH connections before a host is designated as guessing passwords.


Copyright 2013, The Bro Project. Last updated on June 15, 2015. Created using Sphinx 1.2.2.