Detecting SSH bruteforce attacks using triggers in QoE

Triggers are used to search for data in the QoE Stor by specified parameters. After the trigger action one of the following steps is possible:

  • notification in GUI
  • HTTP action
  • sending an email


The required options of the Stingray Service Gateway:

Required additional modules:

System trigger to detect SSH bruteforce attacks

Trigger to detect SSH bruteforce attacks (Name - "ssh bruteforce") is a system trigger and is available in the subsection "QoE Analytics" - "Triggers and Notifications" (disabled by default).

General trigger information

  • The name of the trigger "ssh bruteforce";
  • Days of the week - all;
  • Checking frequency - every 10 minutes;
  • Trigger frequency - 0;
  • Start/end dates and times are customizable if needed.
Every day at intervals of 10 minutes the data will be checked under the conditions described below.

Queries

For this trigger, an uneditable query with the following parameters is set:

  • Table to scan: Raw full netflow → Tables → Attacks detection → SSH bruteforce;
  • Period from: now - 30 minutes
  • Period from: now - 20 minutes

Conditions

  • Add "+" 2 fields
  • Bind - AND
  • Function - avg
  • Series in field 1 - session lifetime to subscriber ⇐ 20(ms)
  • Series in field 2 - number of sessions per subscriber >= 1500
We set the conditions for the trigger action: The average duration of an SSH-session to a subscriber is less than 20ms and the number of SSH-sessions for the subscriber is more than 1500 in the processed time period.

Errors processing

  • In the "If no error" field - no data
  • In the "If execution error or timeout" field - save the last state
In this configuration, if there are no errors, the data will not be saved, if there are errors - the information about the suspicious activity will be saved.

Actions

E-mail

  • For automatic filling of the form - click on the "</>" icon
  • In the "Send to" field - specify an email address
  • With this setting, when triggered, a notification will be sent to the specified email address: ID, trigger name, status, link to the report (saved state).
Notification

  • For automatic filling of the form - click on the "</>" icon
  • Select the type of notification - "Warning"
  • This setting will create a notification in the Stingray Service Gateway

You can get a link to the report in the notification menu

Choose the notification Click "Details"

Click on the link to the report - the report will open in a new browser tab.

HTTP action

  • For automatic filling of the form - click on the "</>" icon
  • Choose the most suitable method for your ticket system and enter the URL.