Simple policy to detect FTP bruteforcers so that we can block those [ Note this script is not clusterized yet ]
1) It enables logging USER/PASS in FTP (logging presently disabled by default) 2) Keeps a count of attempted user+password combinations and blocks if cross a threshold
bro-pkg refresh bro-pkg install initconf/ftp-bruteforce
@load ftp-bruteforce
Heuristics are simple: check for
This should generate following Kinds of notices:
1) FTP::Bruteforcer 2) FTP::BruteforceSummary
1519050213.385221 CP5puj4I8PtEU4qzYg 54.204.121.138 49753 132.108.133.158 21 - - - tcp FTP::Bruteforcer FTP bruteforcer : 54.204.121.138, 4, pass: 1 - 54.204.121.138 132.108.133.158 21 - bro Notice::ACTION_DROP,Notice::ACTION_LOG 3600.000000 F - - - - -
1519334266.646234 - - - - - - - - - FTP::BruteforceSummary FTP bruteforcer : source: 54.204.121.138, Users tried: 12, number Password tried: 715 - 54.204.121.138 - - - bro Notice::ACTION_LOG 3600.000000 F -- - - -