Following my last post “Part 1 : SSH activities forensics“, I continue to analyse the SSH activities.
Emerging Threats is defining a default “SSH Brute Force” rule, “2001219“, with these triggers :
- The source IP should be the same
- The destination port should be 22/tcp
- The sensor target should be unique (not the ssh server)
- The thresholds are 5 matching conditions within 2 minutes
Emerging Threats rule don’t care about :
- If multiples SSH server are in the same $HOME_NET
- If the targeted user name is unique or not
ArcSight is defining a default “Brute Force Logins”, with these triggers :
- The source IP should be the same
- The target IP should be the same
- The target port should be the same
- The target username should be the same
- The thresholds are 5 matching conditions within 2 minutes
We will then consider that 5 matching conditions within 2 minutes by the same source IP as our trigger to detect a SSH brute force attack.
First, we will check the stats for each source IPs how have fail to access the box and never succeeded (third Google gadget).
All the failed SSH connexions uper or equal to 5 in a timeframe of 120 seconds will be considered as this kind of attack.
The detailed stats are avaible in this Google Document under the “SSH – 5” worksheet.
On 25 source IPs, how have fail to access the box and never succeeded, 19 would be detected by ET 2001219 rule.
4 of the 6 source IPs, non detected as a brute force attack, with a number of connexion uper than 20 are interesting, it is a real non detected brute force attack.
On ArcSight, with the default “Brute Force Logins” correlation rule, only 13 on 25 source IPs would be detected as a brute force attack.
Now we will do the same analysis for each source IPs how have fail to access the box and finaly succeeded (second Google gadget).
All the failed SSH connexions uper or equal to 5 in a timeframe of 120 seconds will be considered as this kind of attack.
The detailed stats are avaible in this Google Document under the “SSH – 6” worksheet.
On 7 source IPs, how have fail to access the box and never succeeded, 6 would be detected, by ET 2001219 rule.
On ArcSight, with the default “Brute Force Logins” correlation rule, only 4 on 7 source IPs would be detected as a brute force attack.
More the “Brute Force Attacks” attempts are distributed in time, more patient you are, more you switch between a few targeted user accounts, less you will be discovered. ArcSight and Emerging Threats default rules will detect nothing.