Simple policy to detect RDP bruteforcers so that we can block those

Following functionality are provided by the script

:: 1) Keeps a count of attempted user+password combinations and blocks if cross a threshold

Installation

bro-pkg install bro/initconf/rdp-bruteforce
or @load rdp-bruteforce/scripts

Detailed Notes:

Detail Alerts and descriptions: Following alerts are generated by the script:

Heuristics are simple: check for

This should generate following Kinds of notices: ::
- RDP::HotAccount - RDP::BruteforceScan
- RDP::PasswordGuessing - RDP::ScanSummary

Example notice:

1) 1534874707.394154	-	-	-	-	-	-	-	-	-	RDP::HotAccount	I: 11.199.212.183 bruteforced 142.202.142.235 on  RDP (3389/tcp) using HotAccount: "a" 	-	11.199.212.183	-	-	-	-Notice::ACTION_LOG,Notice::ACTION_DROP	3600.000000	-	-	-	-	-	F

2) 1523947465.302691	-	-	-	-	-	-	-	-	-	RDP::BruteforceScan	193.174.201.229 bruteforced 1 hosts using 3 account(s)	-	193.174.201.229	-	-	-	-	Notice::ACTION_LOG,Notice::ACTION_DROP	3600.000000	-	-	-	-	-	F

3) 1534930291.894509	-	-	-	-	-	-	-	-	-	RDP::HotAccount	I: 24.196.178.67 bruteforced 133.130.155.113 on  RDP (3389/tcp) using HotAccount: "hello" 	-	24.196.178.67	-	-	--Notice::ACTION_LOG,Notice::ACTION_DROP	3600.000000	-	-	-	-	-	F

4) 1534791131.913746	-	-	-	-	-	-	-	-	-	RDP::BruteforceScan	51.235.163.75 bruteforced 3 hosts using 3 account(s)	-	51.235.163.75	-	-	-	-	Notice::ACTION_LOG,Notice::ACTION_DROP	3600.000000	-	-	-	-	-	F

RDP-bruteforce

Simple policy to detect RDP bruteforcers so that we can block those

Following functionality are provided by the script

Installation

Detailed Notes:

Detail Alerts and descriptions: Following alerts are generated by the script:

Example notice:

Package Version :

Description :

Script Dir :

Test Command :

Tags :