detect-bruteforcing.zeek¶

SSH¶

Detect hosts which are doing password guessing attacks and/or password bruteforcing over SSH.

Namespace: SSH
Imports: base/frameworks/intel, base/frameworks/notice, base/frameworks/sumstats, base/protocols/ssh

Summary¶

Redefinable Options¶

`SSH::guessing_timeout`: `interval` `&redef`	The amount of time to remember presumed non-successful logins to build a model of a password guesser.
`SSH::ignore_guessers`: `table` `&redef`	This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”.
`SSH::password_guesses_limit`: `double` `&redef`	The number of failed SSH connections before a host is designated as guessing passwords.

Redefinitions¶

`Intel::Where`: `enum`	`SSH::SUCCESSFUL_LOGIN`: An indicator of the login for the intel framework.
`Notice::Type`: `enum`	`SSH::Login_By_Password_Guesser`: Indicates that a host previously identified as a “password guesser” has now had a successful login attempt. `SSH::Password_Guessing`: Indicates that a host has been identified as crossing the `SSH::password_guesses_limit` threshold with failed logins.

Detailed Interface¶

Redefinable Options¶

SSH::guessing_timeout ¶

Type: interval
Attributes: &redef
Default: 30.0 mins

The amount of time to remember presumed non-successful logins to build a model of a password guesser.

SSH::ignore_guessers ¶

Type: table [subnet] of subnet
Attributes: &redef
Default: {}

This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”. The index represents client subnets and the yield value represents server subnets.

SSH::password_guesses_limit ¶

Type: double
Attributes: &redef
Default: 30.0

The number of failed SSH connections before a host is designated as guessing passwords.