Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/scripts/policy/protocols/ftp/detect-bruteforcing.bro
Seth Hall 720089c03f Add a feature to better select the value threshold will apply to in the metrics framework. 
- The feature was primarily added to allow the value to be
   modified for cluster based intermediate threshold checks
   without requiring the user to write the metrics filter
   differently for cluster consideration.  It's also a nice
   way to calculate some related information to the metric
   without accidently applying thresholds to that value.

 - Fixed a few small bugs in ftp detect-bruteforcing script
   and adapted it to the new threshold value selection feature.
2013-01-05 22:37:19 -05:00

51 lines
No EOL
1.9 KiB
Text
Raw Blame History

@load base/protocols/ftp
@load base/frameworks/metrics
@load base/utils/time
module FTP;
export {
redef enum Notice::Type += {
## Indicates a host bruteforcing FTP logins by watching for too many
## rejected usernames or failed passwords.
Bruteforcing
};
## How many rejected usernames or passwords are required before being
## considered to be bruteforcing.
const bruteforce_threshold = 20 &redef;
## The time period in which the threshold needs to be crossed before
## being reset.
const bruteforce_measurement_interval = 15mins;
}
event bro_init()
{
Metrics::add_filter("ftp.failed_auth", [$every=bruteforce_measurement_interval,
$measure=set(Metrics::UNIQUE),
$threshold_val_func(val: Metrics::ResultVal) = { return val$num; },
$threshold=bruteforce_threshold,
$threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) =
{
local dur = duration_to_mins_secs(val$end-val$begin);
local message = fmt("%s had %d failed logins on %d FTP servers in %s", index$host, val$num, val$unique, dur);
NOTICE([$note=FTP::Bruteforcing,
$src=index$host,
$msg=message,
$identifier=cat(index$host)]);
}]);
}
event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
{
local cmd = c$ftp$cmdarg$cmd;
if ( cmd == "USER" || cmd == "PASS" )
{
if ( FTP::parse_ftp_reply_code(code)$x == 5 )
Metrics::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
}
}
Reference in a new issue View git blame Copy permalink