policy/protocols/ssh/detect-bruteforcing.bro
-
SSH
Detect hosts which are doing password guessing attacks and/or password
bruteforcing over SSH.
Detailed Interface
Options
-
SSH::guessing_timeout
-
The amount of time to remember presumed non-successful logins to
build a model of a password guesser.
-
SSH::ignore_guessers
-
This value can be used to exclude hosts or entire networks from being
tracked as potential “guessers”. There are cases where the success
heuristic fails and this acts as the whitelist. The index represents
client subnets and the yield value represents server subnets.
-
SSH::password_guesses_limit
-
The number of failed SSH connections before a host is designated as
guessing passwords.