policy/protocols/ssh/interesting-hostnames.bro

SSH

This script will generate a notice if an apparent SSH login originates or heads to a host with a reverse hostname that looks suspicious. By default, the regular expression to match “interesting” hostnames includes names that are typically used for infrastructure hosts like nameservers, mail servers, web servers and ftp servers.

Namespace:SSH
Imports:base/frameworks/notice
Source File:/scripts/policy/protocols/ssh/interesting-hostnames.bro

Summary

Options

SSH::interesting_hostnames: pattern &redef Strange/bad host names to see successful SSH logins from or to.

Redefinitions

Notice::Type: enum  

Detailed Interface

Options

SSH::interesting_hostnames
Type:pattern
Attributes:&redef
Default:
/((((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?))|(^?(^ftp[0-9]*\.)$?)/

Strange/bad host names to see successful SSH logins from or to.


Copyright 2016, The Bro Project. Last updated on December 12, 2017. Created using Sphinx 1.5.2.