policy/protocols/ftp/detect-bruteforcing.zeek

FTP

FTP brute-forcing detector, triggering when too many rejected usernames or failed passwords have occurred from a single address.

Namespace

FTP

Imports

base/frameworks/sumstats, base/protocols/ftp, base/utils/time.zeek

Summary

Redefinable Options

FTP::bruteforce_measurement_interval: interval &redef

The time period in which the threshold needs to be crossed before being reset.

FTP::bruteforce_threshold: double &redef

How many rejected usernames or passwords are required before being considered to be bruteforcing.

Redefinitions

Notice::Type: enum

  • FTP::Bruteforcing: Indicates a host bruteforcing FTP logins by watching for too many rejected usernames or failed passwords.

Detailed Interface

Redefinable Options

FTP::bruteforce_measurement_interval
Type

interval

Attributes

&redef

Default

15.0 mins

The time period in which the threshold needs to be crossed before being reset.

FTP::bruteforce_threshold
Type

double

Attributes

&redef

Default

20.0

How many rejected usernames or passwords are required before being considered to be bruteforcing.