:tocdepth: 3

policy/protocols/ssh/detect-bruteforcing.bro
============================================
.. bro:namespace:: SSH

Detect hosts which are doing password guessing attacks and/or password
bruteforcing over SSH.

:Namespace: SSH
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`, :doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`
:Source File: :download:`/scripts/policy/protocols/ssh/detect-bruteforcing.bro`

Summary
~~~~~~~
Options
#######
============================================================================ =====================================================================
:bro:id:`SSH::guessing_timeout`: :bro:type:`interval` :bro:attr:`&redef`     The amount of time to remember presumed non-successful logins to
                                                                             build a model of a password guesser.
:bro:id:`SSH::ignore_guessers`: :bro:type:`table` :bro:attr:`&redef`         This value can be used to exclude hosts or entire networks from being
                                                                             tracked as potential "guessers".
:bro:id:`SSH::password_guesses_limit`: :bro:type:`double` :bro:attr:`&redef` The number of failed SSH connections before a host is designated as
                                                                             guessing passwords.
============================================================================ =====================================================================

Redefinitions
#############
========================================== =
:bro:type:`Intel::Where`: :bro:type:`enum` 
:bro:type:`Notice::Type`: :bro:type:`enum` 
========================================== =


Detailed Interface
~~~~~~~~~~~~~~~~~~
Options
#######
.. bro:id:: SSH::guessing_timeout

   :Type: :bro:type:`interval`
   :Attributes: :bro:attr:`&redef`
   :Default: ``30.0 mins``

   The amount of time to remember presumed non-successful logins to
   build a model of a password guesser.

.. bro:id:: SSH::ignore_guessers

   :Type: :bro:type:`table` [:bro:type:`subnet`] of :bro:type:`subnet`
   :Attributes: :bro:attr:`&redef`
   :Default: ``{}``

   This value can be used to exclude hosts or entire networks from being
   tracked as potential "guessers".  There are cases where the success
   heuristic fails and this acts as the whitelist.  The index represents
   client subnets and the yield value represents server subnets.

.. bro:id:: SSH::password_guesses_limit

   :Type: :bro:type:`double`
   :Attributes: :bro:attr:`&redef`
   :Default: ``30.0``

   The number of failed SSH connections before a host is designated as
   guessing passwords.


