Detecting SSH bruteforce attacks using triggers in QoE [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks
  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks

    • Differences

    This shows you the differences between two versions of the page.

    Link to this comparison view

    Both sides previous revisionPrevious revision
    en:dpi:qoe:use_cases:triggers_ssh_bruteforce [2023/08/30 08:53] elena.krasnobryzhen:dpi:qoe:use_cases:triggers_ssh_bruteforce [2024/09/26 15:29] (current) – external edit 127.0.0.1
    Line 1: Line 1:
    -====== triggers_ssh_bruteforce ======+====== Detecting SSH bruteforce attacks using triggers in QoE ====== 
     +{{indexmenu_n>6}} 
     + 
     +[[en:dpi:dpi_components:dpiui:user_guide:qoe_analytics:triggers_and_notifications|Triggers]] are used to search for data in the QoE Stor by specified parameters. After the trigger action one of the following steps is possible: 
     +  * notification in GUI 
     +  * HTTP action 
     +  * sending an email 
     +\\ 
     +The required options of the Stingray Service Gateway: 
     +  * [[en:dpi:dpi_options:opt_statistics|]] 
     +  * [[en:dpi:dpi_options:opt_notify|]] 
     +Required additional modules: 
     +  * [[en:dpi:dpi_components:dpiui|]] 
     +  * [[en:dpi:dpi_components:qoestor|]] 
     + 
     +===== System trigger to detect SSH bruteforce attacks ===== 
     + 
     +Trigger to detect SSH bruteforce attacks (Name - "ssh bruteforce") is a system trigger and is available in the subsection "QoE Analytics" - "Triggers and Notifications" (disabled by default). 
     + 
     +{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce.png?nolink&600 |}} 
     + 
     +=== General trigger information === 
     + 
     +{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_common.png?nolink&600 |}} 
     + 
     +  * The name of the trigger "ssh bruteforce"; 
     +  * Days of the week - all; 
     +  * Checking frequency - every 10 minutes; 
     +  * Trigger frequency - 0; 
     +  * Start/end dates and times are customizable if needed. 
     + 
     +<note>Every day at intervals of 10 minutes the data will be checked under the conditions described below.</note> 
     + 
     +=== Queries === 
     + 
     +{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_queries.png?nolink&600 |}} 
     + 
     +For this trigger, an uneditable query with the following parameters is set: 
     + 
     +  * Table to scan: Raw full netflow → Tables → Attacks detection → SSH bruteforce; 
     +  * Period from: now - 30 minutes 
     +  * Period from: now - 20 minutes 
     + 
     + 
     +=== Conditions === 
     + 
     +{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_conditions.png?600 |}} 
     + 
     +  * Add "+" 2 fields 
     +  * Bind - AND 
     +  * Function - avg 
     +  * Series in field 1 - session lifetime to subscriber <= 20(ms) 
     +  * Series in field 2 - number of sessions per subscriber >= 1500 
     + 
     +<note>We set the conditions for the trigger action: The average duration of an SSH-session to a subscriber is less than 20ms and the number of SSH-sessions for the subscriber is more than 1500 in the processed time period.</note> 
     + 
     +=== Errors processing === 
     + 
     +{{ dpi:qoe:use_cases:ddos_error.png?nolink&600 |}} 
     + 
     +  * In the "If no error" field - no data 
     +  * In the "If execution error or timeout" field - save the last state 
     + 
     +<note>In this configuration, if there are no errors, the data will not be saved, if there are errors - the information about the suspicious activity will be saved.</note> 
     + 
     +=== Actions === 
     +== E-mail == 
     + 
     +{{ dpi:qoe:use_cases:ddos_email.png?nolink&600 |}} 
     + 
     +  * For automatic filling of the form - click on the "</>" icon 
     +  * In the "Send to" field - specify an email address 
     +  * With this setting, when triggered, a notification will be sent to the specified email address: ID, trigger name, status, link to the report (saved state). 
     + 
     + 
     +== Notification == 
     +{{ dpi:qoe:use_cases:ddos_notification.png?nolink&600 |}} 
     + 
     +  * For automatic filling of the form - click on the "</>" icon 
     +  * Select the type of notification - "Warning" 
     +  * This setting will create a notification in the Stingray Service Gateway 
     + 
     +{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_alerting.png?nolink&600 |}} 
     + 
     +You can get a link to the report in the notification menu 
     + 
     +{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_notofication.png?nolink&400 |}} 
     + 
     +Choose the notification 
     +Click "Details" 
     + 
     +{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_notofication_details.png?nolink&400 |}} 
     + 
     +Click on the link to the report - the report will open in a new browser tab. 
     + 
     +== HTTP action == 
     + 
     +{{ dpi:qoe:use_cases:ddos_http.png?nolink&600 |}} 
     + 
     +  * For automatic filling of the form - click on the "</>" icon 
     +  * Choose the most suitable method for your ticket system and enter the URL.