policy/protocols/ssh/detect-bruteforcing.zeek

SSH

Detect hosts which are doing password guessing attacks and/or password bruteforcing over SSH.

Namespace:

SSH

Imports:

base/frameworks/intel, base/frameworks/notice, base/frameworks/sumstats, base/protocols/ssh

Summary

Redefinable Options

SSH::guessing_timeout: interval &redef

The amount of time to remember presumed non-successful logins to build a model of a password guesser.

SSH::ignore_guessers: table &redef

This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”.

SSH::password_guesses_limit: double &redef

The number of failed SSH connections before a host is designated as guessing passwords.

Redefinitions

Intel::Where: enum

Notice::Type: enum

Detailed Interface

Redefinable Options

SSH::guessing_timeout
Type:

interval

Attributes:

&redef

Default:

30.0 mins

The amount of time to remember presumed non-successful logins to build a model of a password guesser.

SSH::ignore_guessers
Type:

table [subnet] of subnet

Attributes:

&redef

Default:

{}

This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”. The index represents client subnets and the yield value represents server subnets.

SSH::password_guesses_limit
Type:

double

Attributes:

&redef

Default:

30.0

The number of failed SSH connections before a host is designated as guessing passwords.