policy/protocols/ssh/detect-bruteforcing.zeek¶
-
SSH
¶
Detect hosts which are doing password guessing attacks and/or password bruteforcing over SSH.
Namespace: | SSH |
---|---|
Imports: | base/frameworks/intel, base/frameworks/notice, base/frameworks/sumstats, base/protocols/ssh |
Summary¶
Redefinable Options¶
SSH::guessing_timeout : interval &redef |
The amount of time to remember presumed non-successful logins to build a model of a password guesser. |
SSH::ignore_guessers : table &redef |
This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”. |
SSH::password_guesses_limit : double &redef |
The number of failed SSH connections before a host is designated as guessing passwords. |
Redefinitions¶
Intel::Where : enum |
|
Notice::Type : enum |
|
Detailed Interface¶
Redefinable Options¶
-
SSH::guessing_timeout
¶ Type: interval
Attributes: &redef
Default: 30.0 mins
The amount of time to remember presumed non-successful logins to build a model of a password guesser.