policy/protocols/ssh/detect-bruteforcing.zeek

SSH

Detect hosts which are doing password guessing attacks and/or password bruteforcing over SSH.

Namespace

SSH

Imports

base/frameworks/intel, base/frameworks/notice, base/frameworks/sumstats, base/protocols/ssh

Summary

Redefinable Options

SSH::guessing_timeout: interval &redef

The amount of time to remember presumed non-successful logins to build a model of a password guesser.

SSH::ignore_guessers: table &redef

This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”.

SSH::password_guesses_limit: double &redef

The number of failed SSH connections before a host is designated as guessing passwords.

Redefinitions

Intel::Where: enum

Notice::Type: enum

Detailed Interface

Redefinable Options

SSH::guessing_timeout
Type

interval

Attributes

&redef

Default

30.0 mins

The amount of time to remember presumed non-successful logins to build a model of a password guesser.

SSH::ignore_guessers
Type

table [subnet] of subnet

Attributes

&redef

Default

{}

This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”. The index represents client subnets and the yield value represents server subnets.

SSH::password_guesses_limit
Type

double

Attributes

&redef

Default

30.0

The number of failed SSH connections before a host is designated as guessing passwords.