policy/protocols/ftp/detect-bruteforcing.zeek

FTP

FTP brute-forcing detector, triggering when too many rejected usernames or failed passwords have occurred from a single address.

Namespace:FTP
Imports:base/frameworks/sumstats, base/protocols/ftp, base/utils/time.zeek

Summary

Redefinable Options

FTP::bruteforce_measurement_interval: interval &redef The time period in which the threshold needs to be crossed before being reset.
FTP::bruteforce_threshold: double &redef How many rejected usernames or passwords are required before being considered to be bruteforcing.

Redefinitions

Notice::Type: enum  

Detailed Interface

Redefinable Options

FTP::bruteforce_measurement_interval
Type:interval
Attributes:&redef
Default:15.0 mins

The time period in which the threshold needs to be crossed before being reset.

FTP::bruteforce_threshold
Type:double
Attributes:&redef
Default:20.0

How many rejected usernames or passwords are required before being considered to be bruteforcing.