policy/protocols/ssh/detect-bruteforcing.zeek
- SSH
Detect hosts which are doing password guessing attacks and/or password bruteforcing over SSH.
- Namespace
SSH
- Imports
base/frameworks/intel, base/frameworks/notice, base/frameworks/sumstats, base/protocols/ssh
Summary
Redefinable Options
The amount of time to remember presumed non-successful logins to build a model of a password guesser. |
|
This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”. |
|
The number of failed SSH connections before a host is designated as guessing passwords. |
Redefinitions
|
|
|
Detailed Interface
Redefinable Options
- SSH::guessing_timeout
-
The amount of time to remember presumed non-successful logins to build a model of a password guesser.
- SSH::ignore_guessers
-
This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”. The index represents client subnets and the yield value represents server subnets.
- SSH::password_guesses_limit
-
The number of failed SSH connections before a host is designated as guessing passwords.