{{indexmenu_n>4}}
====== Detecting SSH bruteforce attacks using triggers in QoE ======

[[dpi:qoe_analytics:qoe_gui:offline_analytics:triggers_and_notifications|Triggers]] are used to search data in QoE Stor by specified parameters. When a trigger fires, one of the following actions can occur:
  * notification in GUI
  * HTTP action
  * email delivery
\\
Required SSG DPI options:
  * [[dpi:dpi_options:opt_statistics]]
  * [[dpi:dpi_options:opt_notify]]
Required additional modules:
  * [[dpi:dpi_components:dpiui|]]
  * [[dpi:qoe_analytics:implementation_administration|]]

===== System trigger for detecting SSH bruteforce attacks =====

The trigger for detecting SSH bruteforce attacks (name — "ssh bruteforce") is a system trigger and is available in "QoE analytics" → "Triggers and notifications" (disabled by default).

{{ :dpi:qoe:use_cases:dpiui2_triggers_bruteforce.png?nolink&600 |}}

=== General trigger information ===

{{ :dpi:qoe:use_cases:dpiui2_triggers_bruteforce_common.png?nolink&600 |}}

  * Trigger name: "ssh bruteforce";
  * Days of week — all;
  * Check frequency — 10 minutes;
  * Trigger activation frequency — 0;
  * Start/end dates and times can be set if needed.

<note>Every day, a check will be performed every 10 minutes according to the conditions described below.</note>

=== Queries ===

{{ :dpi:qoe:use_cases:dpiui2_triggers_bruteforce_queries.png?nolink&600 |}}

For this trigger a non-editable query is preset with the following parameters:

  * Table to scan: Raw full netflow → Tables → Attacks detection → Ssh bruteforce;
  * Period from: now - 30 minutes
  * Period to: now - 20 minutes


=== Conditions ===

{{ :dpi:qoe:use_cases:dpiui2_triggers_bruteforce_conditions.png?600 |}}

  * Add two "+" fields
  * Link – AND
  * Function – avg
  * Series in field 1 – session lifetime to subscriber <= 20 (ms)
  * Series in field 2 – number of sessions per subscriber >= 1500


<note>We set the trigger conditions: average duration of SSH sessions to a subscriber is less than 20 ms and the number of SSH sessions for the subscriber is greater than 1500 for the analyzed period.</note>

=== Error handling ===

{{ :dpi:qoe:use_cases:ddos_error.png?nolink&600 |}}

  * In "If no errors" — no data
  * In "If error or timeout" — save last state

<note>With this configuration, if there are no errors, no data is saved; if errors occur, information about suspicious activity is saved.</note>

=== Actions ===
== E-mail action ==

{{ :dpi:qoe:use_cases:ddos_email.png?nolink&600 |}}

  * Click the "</>" icon to auto-fill the form
  * In the "To" field — specify the email address
  * With this setup, when the trigger fires an email with the notification details (ID, trigger name, status, link to the report — saved state) will be sent to the specified address


== Notification ==
{{ :dpi:qoe:use_cases:ddos_notification.png?nolink&600 |}}

  * Click "</>" to auto-fill the form
  * Select notification type — "Warning"
  * This will create a notification in the SSG system

{{ :dpi:qoe:use_cases:dpiui2_triggers_bruteforce_alerting.png?nolink&600 |}}

You can get a link to the report via the notifications menu

{{ :dpi:qoe:use_cases:dpiui2_triggers_bruteforce_notofication.png?nolink&400 |}}

Select the notification
Choose — "Details"

{{ :dpi:qoe:use_cases:dpiui2_triggers_bruteforce_notofication_details.png?nolink&400 |}}

Follow the report link — the report will open in a new browser window.

== HTTP action ==

{{ :dpi:qoe:use_cases:ddos_http.png?nolink&600 |}}

Click "</>" to auto-fill the form.
Choose the method most suitable for your ticket system and enter the URL.

<note important>Keep in mind — the numeric thresholds for sessions, incoming packets, etc., are given as averaged examples. Fine-tune thresholds based on your network specifics.</note>