Simple policy to detect FTP bruteforcers so that we can block those
Following functionality are provided by the script
1) It enables logging USER/PASS in FTP (logging presently disabled by default)
2) Keeps a count of attempted user+password combinations and blocks if cross a threshold
Installation
bro-pkg install bro/initconf/ftp-bruteforce
or @load ftp-bruteforce/scripts
Detailed Notes:
Detail Alerts and descriptions: Following alerts are generated by the script:
Heuristics are simple: check for
This should generate following Kinds of notices:
-
Example notice:
1519050213.385221 CP5puj4I8PtEU4qzYg 54.204.121.138 49753 132.108.133.158 21 - - - tcp FTP::Bruteforcer FTP bruteforcer : 54.204.121.138, 4, pass: 1 - 54.204.121.138 132.108.133.158 21 - bro Notice::ACTION_DROP,Notice::ACTION_LOG 3600.000000 F - - - - -
Example Summary Notice:
1519334266.646234 - - - - - - - - - FTP::BruteforceSummary FTP bruteforcer : source: 54.204.121.138, Users tried: 12, number Password tried: 715 - 54.204.121.138 - - - bro Notice::ACTION_LOG 3600.000000 F -- - - -