policy/protocols/ftp/detect-bruteforcing.zeek

FTP

FTP brute-forcing detector, triggering when too many rejected usernames or failed passwords have occurred from a single address.

Namespace:FTP Imports:base/frameworks/sumstats, base/protocols/ftp, base/utils/time.zeek

Summary

Redefinable Options

FTP::bruteforce_measurement_interval: interval &redef	The time period in which the threshold needs to be crossed before being reset.
FTP::bruteforce_threshold: double &redef	How many rejected usernames or passwords are required before being considered to be bruteforcing.

Redefinitions

Notice::Type: enum

Detailed Interface

Redefinable Options

FTP::bruteforce_measurement_interval

Type:interval Attributes:&redef Default:15.0 mins

The time period in which the threshold needs to be crossed before being reset.

FTP::bruteforce_threshold

Type:double Attributes:&redef Default:20.0

How many rejected usernames or passwords are required before being considered to be bruteforcing.