[Bro] SSH login brute force
Seth Hall
hall.692 at osu.edu
Thu Jun 11 10:44:01 PDT 2009
It heuristically makes a guess about a successful login based on the
amount of data returned from the server (the default is 5k). It's far
from 100% accurate, but in my environment has been extremely useful.
Recently, I've been looking through some SSH traces trying to find a
more refined heuristic because if someone logs in and then logs out
again right away, it's likely the server will cross the byte count
threshold and a successful connection will be marked as unsuccessful.
If you have any ideas for how to make that happen, I'd be glad to hear.
.Seth
On Jun 11, 2009, at 11:48 AM, Adayadil Thomas wrote:
> Thanks for the info, Seth
>
> Can you point me to any info/document/link that you may have used for
> your approach.
> for e.g. about how you set
> authentication_data_size = 5500
>
> I am trying to understand how a brute force attempt can be
> distinguished from a normal
> client server communication since both are encrypted?
>
>
>
>
>
>
> On Thu, Jun 11, 2009 at 11:29 AM, Seth Hall <hall.692 at osu.edu> wrote:
>>
>> On Jun 11, 2009, at 10:38 AM, Adayadil Thomas wrote:
>>
>>> Does bro detect SSH brute force login attempts?
>>
>> My ssh-ext.bro script at the following link does, but it could
>> certainly be improved.
>>
>> http://github.com/sethhall/bro_scripts/tree/master
>>
>> .Seth
>>
>> ---
>> Seth Hall
>> Network Security - Office of the CIO
>> The Ohio State University
>> Phone: 614-292-9721
>>
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the Bro
mailing list