detect-bruteforcing.zeek¶

SSH¶

Detect hosts which are doing password guessing attacks and/or password bruteforcing over SSH.

Namespace:	SSH
Imports:	base/frameworks/intel, base/frameworks/notice, base/frameworks/sumstats, base/protocols/ssh

Summary¶

Redefinable Options¶

`SSH::guessing_timeout`: `interval` `&redef`	The amount of time to remember presumed non-successful logins to build a model of a password guesser.
`SSH::ignore_guessers`: `table` `&redef`	This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”.
`SSH::password_guesses_limit`: `double` `&redef`	The number of failed SSH connections before a host is designated as guessing passwords.

Redefinitions¶

`Intel::Where`: `enum`	`SSH::SUCCESSFUL_LOGIN`: An indicator of the login for the intel framework.
`Notice::Type`: `enum`	`SSH::Login_By_Password_Guesser`: Indicates that a host previously identified as a “password guesser” has now had a successful login attempt. `SSH::Password_Guessing`: Indicates that a host has been identified as crossing the `SSH::password_guesses_limit` threshold with failed logins.

Detailed Interface¶

Redefinable Options¶

SSH::guessing_timeout¶

Type:	`interval`
Attributes:	`&redef`
Default:	`30.0 mins`

The amount of time to remember presumed non-successful logins to build a model of a password guesser.

SSH::ignore_guessers¶

Type:	`table` [`subnet`] of `subnet`
Attributes:	`&redef`
Default:	`{}`

This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”. The index represents client subnets and the yield value represents server subnets.

SSH::password_guesses_limit¶

Type:	`double`
Attributes:	`&redef`
Default:	`30.0`

The number of failed SSH connections before a host is designated as guessing passwords.