Detecting SSH bruteforce attacks using triggers in QoE [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks
  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks

    • Differences

    This shows you the differences between two versions of the page.

    Link to this comparison view

    en:dpi:qoe:use_cases:triggers_ssh_bruteforce:start [2023/08/30 08:53] – created elena.krasnobryzhen:dpi:qoe:use_cases:triggers_ssh_bruteforce:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
    Line 1: Line 1:
    -====== Detecting SSH bruteforce attacks using triggers in QoE ====== 
    -{{indexmenu_n>6}} 
      
    -[[en:dpi:dpi_components:dpiui:user_guide:qoe_analytics:triggers_and_notifications:start|Triggers]] are used to search for data in the QoE Stor by specified parameters. After the trigger action one of the following steps is possible: 
    -  * notification in GUI 
    -  * HTTP action 
    -  * sending an email 
    -\\ 
    -The required options of the Stingray Service Gateway: 
    -  * [[en:dpi:dpi_options:opt_statistics:start|]] 
    -  * [[en:dpi:dpi_options:opt_notify:start|]] 
    -Required additional modules: 
    -  * [[en:dpi:dpi_components:dpiui:start|]] 
    -  * [[en:dpi:dpi_components:qoestor:start|]] 
    - 
    -===== System trigger to detect SSH bruteforce attacks ===== 
    - 
    -Trigger to detect SSH bruteforce attacks (Name - "ssh bruteforce") is a system trigger and is available in the subsection "QoE Analytics" - "Triggers and Notifications" (disabled by default). 
    - 
    -{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce.png?nolink&600 |}} 
    - 
    -=== General trigger information === 
    - 
    -{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_common.png?nolink&600 |}} 
    - 
    -  * The name of the trigger "ssh bruteforce"; 
    -  * Days of the week - all; 
    -  * Checking frequency - every 10 minutes; 
    -  * Trigger frequency - 0; 
    -  * Start/end dates and times are customizable if needed. 
    - 
    -<note>Every day at intervals of 10 minutes the data will be checked under the conditions described below.</note> 
    - 
    -=== Queries === 
    - 
    -{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_queries.png?nolink&600 |}} 
    - 
    -For this trigger, an uneditable query with the following parameters is set: 
    - 
    -  * Table to scan: Raw full netflow → Tables → Attacks detection → SSH bruteforce; 
    -  * Period from: now - 30 minutes 
    -  * Period from: now - 20 minutes 
    - 
    - 
    -=== Conditions === 
    - 
    -{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_conditions.png?600 |}} 
    - 
    -  * Add "+" 2 fields 
    -  * Bind - AND 
    -  * Function - avg 
    -  * Series in field 1 - session lifetime to subscriber <= 20(ms) 
    -  * Series in field 2 - number of sessions per subscriber >= 1500 
    - 
    -<note>We set the conditions for the trigger action: The average duration of an SSH-session to a subscriber is less than 20ms and the number of SSH-sessions for the subscriber is more than 1500 in the processed time period.</note> 
    - 
    -=== Errors processing === 
    - 
    -{{ dpi:qoe:use_cases:ddos_error.png?nolink&600 |}} 
    - 
    -  * In the "If no error" field - no data 
    -  * In the "If execution error or timeout" field - save the last state 
    - 
    -<note>In this configuration, if there are no errors, the data will not be saved, if there are errors - the information about the suspicious activity will be saved.</note> 
    - 
    -=== Actions === 
    -== E-mail == 
    - 
    -{{ dpi:qoe:use_cases:ddos_email.png?nolink&600 |}} 
    - 
    -  * For automatic filling of the form - click on the "</>" icon 
    -  * In the "Send to" field - specify an email address 
    -  * With this setting, when triggered, a notification will be sent to the specified email address: ID, trigger name, status, link to the report (saved state). 
    - 
    - 
    -== Notification == 
    -{{ dpi:qoe:use_cases:ddos_notification.png?nolink&600 |}} 
    - 
    -  * For automatic filling of the form - click on the "</>" icon 
    -  * Select the type of notification - "Warning" 
    -  * This setting will create a notification in the Stingray Service Gateway 
    - 
    -{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_alerting.png?nolink&600 |}} 
    - 
    -You can get a link to the report in the notification menu 
    - 
    -{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_notofication.png?nolink&400 |}} 
    - 
    -Choose the notification 
    -Click "Details" 
    - 
    -{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_notofication_details.png?nolink&400 |}} 
    - 
    -Click on the link to the report - the report will open in a new browser tab. 
    - 
    -== HTTP action == 
    - 
    -{{ dpi:qoe:use_cases:ddos_http.png?nolink&600 |}} 
    - 
    -  * For automatic filling of the form - click on the "</>" icon 
    -  * Choose the most suitable method for your ticket system and enter the URL.