ftp-bruteforce


Simple policy to detect FTP bruteforcers so that we can block those

Following functionality are provided by the script

1) It enables logging USER/PASS in FTP (logging presently disabled by default)
2) Keeps a count of attempted user+password combinations and blocks if cross a threshold 

Installation

bro-pkg install bro/initconf/ftp-bruteforce
or @load ftp-bruteforce/scripts

Detailed Notes:

Detail Alerts and descriptions: Following alerts are generated by the script:

Heuristics are simple: check for

This should generate following Kinds of notices:

-

Example notice:

1519050213.385221 CP5puj4I8PtEU4qzYg 54.204.121.138 49753 132.108.133.158 21 - - - tcp FTP::Bruteforcer FTP bruteforcer : 54.204.121.138, 4, pass: 1 - 54.204.121.138 132.108.133.158 21 - bro Notice::ACTION_DROP,Notice::ACTION_LOG 3600.000000 F - - - - -

Example Summary Notice:

1519334266.646234 - - - - - - - - - FTP::BruteforceSummary FTP bruteforcer : source: 54.204.121.138, Users tried: 12, number Password tried: 715 - 54.204.121.138 - - - bro Notice::ACTION_LOG 3600.000000 F -- - - -

Package Version :