Skip to content
bro package for ftp bruteforce detection
Zeek Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
scripts
tests
COPYING
README.rst
bro-pkg.meta

README.rst

FTP Bruteforce Detection

Simple policy to detect FTP bruteforcers so that we can block those [ Note this script is not clusterized yet ]

Following functionality are provided by the script

1) It enables logging USER/PASS in FTP (logging presently disabled by default)
2) Keeps a count of attempted user+password combinations and blocks if cross a threshold

Bro Package Manager

bro-pkg refresh
    bro-pkg install initconf/ftp-bruteforce

Installation

@load ftp-bruteforce

Detail Alerts and descriptions: Following alerts are generated by the script:

Heuristics are simple: check for

This should generate following Kinds of notices:

1) FTP::Bruteforcer
2) FTP::BruteforceSummary

Example notices:

1519050213.385221 CP5puj4I8PtEU4qzYg 54.204.121.138 49753 132.108.133.158 21 - - - tcp FTP::Bruteforcer FTP bruteforcer : 54.204.121.138, 4, pass: 1 - 54.204.121.138 132.108.133.158 21 - bro Notice::ACTION_DROP,Notice::ACTION_LOG 3600.000000 F - - - - -

Example Summary Notice:

1519334266.646234 - - - - - - - - - FTP::BruteforceSummary FTP bruteforcer : source: 54.204.121.138, Users tried: 12, number Password tried: 715 - 54.204.121.138 - - - bro Notice::ACTION_LOG 3600.000000 F -- - - -

You can’t perform that action at this time.