forked from sethhall/bro-scripts
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathssh-ext-block.bro
47 lines (37 loc) · 1.25 KB
/
ssh-ext-block.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
@load global-ext
@load ssh-ext
@load subnet-helper
@load ipblocker
@load notice
module SSH;
export {
global ssh_attacked: table[addr] of addr_set &create_expire=30mins &synchronized;# default isn't working &default=function(a:addr):addr_set { print a;return set();};
global libssh_scanners: set[addr] &create_expire=10mins &synchronized;
const subnet_threshold = 3 &redef;
redef enum Notice += {
SSH_Libssh_Scanner,
};
const scanner_clients =
/libssh/
| /dropbear/ &redef;
}
redef notice_action_filters += {
[SSH_Libssh_Scanner] = notice_exec_ipblocker,
};
event ssh_ext(id: conn_id, si: ssh_ext_session_info) &priority=-10
{
if(is_local_addr(id$orig_h) ||
scanner_clients !in si$client ||
si$status == "success")
return;
local subnets = add_attack(ssh_attacked, id$orig_h, id$resp_h);
print fmt("%s scanned %d subnets", id$orig_h, subnets);
if(subnets >= subnet_threshold && id$orig_h !in libssh_scanners){
add libssh_scanners[id$orig_h];
NOTICE([$note=SSH_Libssh_Scanner,
$id=id,
$msg=fmt("SSH libssh scanning. %s scanned %d subnets", id$orig_h, subnets),
$sub="ssh-ext",
$n=subnets]);
}
}