policy/protocols/ftp/detect-bruteforcing.zeek

FTP

FTP brute-forcing detector, triggering when too many rejected usernames or failed passwords have occurred from a single address.

Namespace

FTP

Imports

base/frameworks/sumstats, base/protocols/ftp, base/utils/time.zeek

Summary

Redefinable Options

FTP::bruteforce_measurement_interval: interval &redef	The time period in which the threshold needs to be crossed before being reset.
FTP::bruteforce_threshold: double &redef	How many rejected usernames or passwords are required before being considered to be bruteforcing.

Redefinitions

Notice::Type: enum

FTP::Bruteforcing: Indicates a host bruteforcing FTP logins by watching for too many rejected usernames or failed passwords.

Detailed Interface

Redefinable Options

FTP::bruteforce_measurement_interval

Type

interval

Attributes

&redef

Default

15.0 mins

The time period in which the threshold needs to be crossed before being reset.

FTP::bruteforce_threshold

Type

double

Attributes

&redef

Default

20.0

How many rejected usernames or passwords are required before being considered to be bruteforcing.