Adding metrics framework intermediate updates.

- Since each host in a cluster has it's own view of the metrics the only time the manager would get a chance for a global view is the break_interval. This update improves that time. If a worker crosses 10% of the full threshold, it will send it's value to the manager which can then ask the rest of the cluster for a global view. The manager then adds all of the values for each workers metric indexes together and will do the notice if it crosses the threshold so that it isn't dependent on waiting for the break interval to hit. This functionality works completely independently of the break_interval too. Logging will happen as normal. - Small update for SSH bruteforcer detection to match additions in the metrics framework API. - The hope is that this update is mostly invisible from anyone's perspective. The only affect it should have on users is to better the detection of metric values crossing thresholds on cluster deployments.
2025-10-02 06:38:20 +00:00 · 2011-08-21 00:32:00 -04:00 · 2011-08-21 00:32:00 -04:00 · a7f6e4c582
commit a7f6e4c582
parent 82f94881c0
10 changed files with 303 additions and 111 deletions
--- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro
+++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro
@ -32,11 +32,6 @@ export {
 	## client subnets and the yield value represents server subnets.
 	const ignore_guessers: table[subnet] of subnet &redef;

-	## Keeps count of how many rejections a host has had.
-	global password_rejections: table[addr] of TrackCount 
-		&write_expire=guessing_timeout
-		&synchronized;
-
 	## Keeps track of hosts identified as guessing passwords.
 	global password_guessers: set[addr] &read_expire=guessing_timeout+1hr &synchronized;
 }
@ -46,6 +41,7 @@ event bro_init()
 	Metrics::add_filter(FAILED_LOGIN, [$name="detect-bruteforcing", $log=F,
 	                                   $note=Password_Guessing,
 	                                   $notice_threshold=password_guesses_limit,
+	                                   $notice_freq=1hr,
 	                                   $break_interval=guessing_timeout]);
 	}

@ -59,9 +55,7 @@ event SSH::heuristic_successful_login(c: connection)
 	#	{
 	#	NOTICE([$note=Login_By_Password_Guesser,
 	#	        $conn=c,
-	#	        $n=password_rejections[id$orig_h]$n,
-	#	        $msg=fmt("Successful SSH login by password guesser %s", id$orig_h),
-	#	        $sub=fmt("%d failed logins", password_rejections[id$orig_h]$n)]);
+	#	        $msg=fmt("Successful SSH login by password guesser %s", id$orig_h)]);
 	#	}
 	}

@ -74,14 +68,4 @@ event SSH::heuristic_failed_login(c: connection)
 	if ( ! (id$orig_h in ignore_guessers &&
 	        id$resp_h in ignore_guessers[id$orig_h]) )
 		Metrics::add_data(FAILED_LOGIN, [$host=id$orig_h], 1);
-	
-	#if ( default_check_threshold(password_rejections[id$orig_h]) )
-	#	{
-	#	add password_guessers[id$orig_h];
-	#	NOTICE([$note=Password_Guessing,
-	#	        $conn=c,
-	#	        $msg=fmt("SSH password guessing by %s", id$orig_h),
-	#	        $sub=fmt("%d apparently failed logins", password_rejections[id$orig_h]$n),
-	#	        $n=password_rejections[id$orig_h]$n]);
-	#	}
 	}