mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Improvements to metrics. SSH bruteforcing detection now done with metrics framework.
This commit is contained in:
Seth Hall
parent
8286fdeea1
commit
82f94881c0
4 changed files with 85 additions and 58 deletions
|
|
@ -11,6 +11,12 @@ export {
|
|||
## has now had a heuristically successful login attempt.
|
||||
Login_By_Password_Guesser,
|
||||
};
|
||||
|
||||
redef enum Metrics::ID += {
|
||||
## This metric is to measure failed logins with the hope of detecting
|
||||
## bruteforcing hosts.
|
||||
FAILED_LOGIN,
|
||||
};
|
||||
|
||||
## The number of failed SSH connections before a host is designated as
|
||||
## guessing passwords.
|
||||
|
|
@ -35,45 +41,47 @@ export {
|
|||
global password_guessers: set[addr] &read_expire=guessing_timeout+1hr &synchronized;
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Metrics::add_filter(FAILED_LOGIN, [$name="detect-bruteforcing", $log=F,
|
||||
$note=Password_Guessing,
|
||||
$notice_threshold=password_guesses_limit,
|
||||
$break_interval=guessing_timeout]);
|
||||
}
|
||||
|
||||
event SSH::heuristic_successful_login(c: connection)
|
||||
{
|
||||
local id = c$id;
|
||||
|
||||
# TODO: this should be migrated to the metrics framework.
|
||||
if ( id$orig_h in password_rejections &&
|
||||
password_rejections[id$orig_h]$n > password_guesses_limit &&
|
||||
id$orig_h !in password_guessers )
|
||||
{
|
||||
add password_guessers[id$orig_h];
|
||||
NOTICE([$note=Login_By_Password_Guesser,
|
||||
$conn=c,
|
||||
$n=password_rejections[id$orig_h]$n,
|
||||
$msg=fmt("Successful SSH login by password guesser %s", id$orig_h),
|
||||
$sub=fmt("%d failed logins", password_rejections[id$orig_h]$n)]);
|
||||
}
|
||||
# TODO: This is out for the moment pending some more additions to the
|
||||
# metrics framework.
|
||||
#if ( id$orig_h in password_guessers )
|
||||
# {
|
||||
# NOTICE([$note=Login_By_Password_Guesser,
|
||||
# $conn=c,
|
||||
# $n=password_rejections[id$orig_h]$n,
|
||||
# $msg=fmt("Successful SSH login by password guesser %s", id$orig_h),
|
||||
# $sub=fmt("%d failed logins", password_rejections[id$orig_h]$n)]);
|
||||
# }
|
||||
}
|
||||
|
||||
event SSH::heuristic_failed_login(c: connection)
|
||||
{
|
||||
local id = c$id;
|
||||
|
||||
# presumed failure
|
||||
if ( id$orig_h !in password_rejections )
|
||||
password_rejections[id$orig_h] = new_track_count();
|
||||
|
||||
# Track the number of rejections
|
||||
# TODO: this should be migrated to the metrics framework.
|
||||
# Add data to the FAILED_LOGIN metric unless this connection should
|
||||
# be ignored.
|
||||
if ( ! (id$orig_h in ignore_guessers &&
|
||||
id$resp_h in ignore_guessers[id$orig_h]) )
|
||||
++password_rejections[id$orig_h]$n;
|
||||
Metrics::add_data(FAILED_LOGIN, [$host=id$orig_h], 1);
|
||||
|
||||
if ( default_check_threshold(password_rejections[id$orig_h]) )
|
||||
{
|
||||
add password_guessers[id$orig_h];
|
||||
NOTICE([$note=Password_Guessing,
|
||||
$conn=c,
|
||||
$msg=fmt("SSH password guessing by %s", id$orig_h),
|
||||
$sub=fmt("%d apparently failed logins", password_rejections[id$orig_h]$n),
|
||||
$n=password_rejections[id$orig_h]$n]);
|
||||
}
|
||||
#if ( default_check_threshold(password_rejections[id$orig_h]) )
|
||||
# {
|
||||
# add password_guessers[id$orig_h];
|
||||
# NOTICE([$note=Password_Guessing,
|
||||
# $conn=c,
|
||||
# $msg=fmt("SSH password guessing by %s", id$orig_h),
|
||||
# $sub=fmt("%d apparently failed logins", password_rejections[id$orig_h]$n),
|
||||
# $n=password_rejections[id$orig_h]$n]);
|
||||
# }
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue