policy/protocols/ssh/interesting-hostnames.zeek

SSH

This script will generate a notice if an apparent SSH login originates or heads to a host with a reverse hostname that looks suspicious. By default, the regular expression to match “interesting” hostnames includes names that are typically used for infrastructure hosts like nameservers, mail servers, web servers and ftp servers.

Namespace

SSH

Imports

base/frameworks/notice

Summary

Runtime Options

SSH::interesting_hostnames: pattern &redef

Strange/bad host names to see successful SSH logins from or to.

Redefinitions

Notice::Type: enum

Detailed Interface

Runtime Options

SSH::interesting_hostnames
Type

pattern

Attributes

&redef

Default
/^?((^?((^?((^?((^?((^?((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))$?)|(^?(^mail[0-9]*\.)$?))$?)|(^?(^pop[0-9]*\.)$?))$?)|(^?(^imap[0-9]*\.)$?))$?)|(^?(^www[0-9]*\.)$?))$?)|(^?(^ftp[0-9]*\.)$?))$?/

Strange/bad host names to see successful SSH logins from or to.