ftp-bruteforce

FTP Bruteforce Detection

Simple policy to detect FTP bruteforcers so that we can block those
[ Note this script is not clusterized yet ]

Following functionality are provided by the script

1) It enables logging USER/PASS in FTP (logging presently disabled by default)
2) Keeps a count of attempted user+password combinations and blocks if cross a threshold 

Bro Package Manager *

bro-pkg refresh 
-pkg install initconf/ftp-bruteforce 

Installation

@load ftp-bruteforce

Detail Alerts and descriptions: Following alerts are generated by the script:

Heuristics are simple: check for

This should generate following Kinds of notices:

1) FTP::Bruteforcer 
2) FTP::BruteforceSummary 

Example notices:

1519050213.385221 CP5puj4I8PtEU4qzYg 54.204.121.138 49753 132.108.133.158 21 - - - tcp FTP::Bruteforcer FTP bruteforcer : 54.204.121.138, 4, pass: 1 - 54.204.121.138 132.108.133.158 21 - bro Notice::ACTION_DROP,Notice::ACTION_LOG 3600.000000 F - - - - -

Example Summary Notice:

1519334266.646234 - - - - - - - - - FTP::BruteforceSummary FTP bruteforcer : source: 54.204.121.138, Users tried: 12, number Password tried: 715 - 54.204.121.138 - - - bro Notice::ACTION_LOG 3600.000000 F -- - - -

Package Version :