====== Detecting SSH bruteforce attacks using triggers in QoE ======
{{indexmenu_n>6}}

[[en:dpi:dpi_components:dpiui:user_guide:qoe_analytics:triggers_and_notifications|Triggers]] are used to search for data in the QoE Stor by specified parameters. After the trigger action one of the following steps is possible:
  * notification in GUI
  * HTTP action
  * sending an email
\\
The required options of the Stingray Service Gateway:
  * [[en:dpi:dpi_options:opt_statistics|]]
  * [[en:dpi:dpi_options:opt_notify|]]
Required additional modules:
  * [[en:dpi:dpi_components:dpiui|]]
  * [[en:dpi:dpi_components:qoestor|]]

===== System trigger to detect SSH bruteforce attacks =====

Trigger to detect SSH bruteforce attacks (Name - "ssh bruteforce") is a system trigger and is available in the subsection "QoE Analytics" - "Triggers and Notifications" (disabled by default).

{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce.png?nolink&600 |}}

=== General trigger information ===

{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_common.png?nolink&600 |}}

  * The name of the trigger "ssh bruteforce";
  * Days of the week - all;
  * Checking frequency - every 10 minutes;
  * Trigger frequency - 0;
  * Start/end dates and times are customizable if needed.

<note>Every day at intervals of 10 minutes the data will be checked under the conditions described below.</note>

=== Queries ===

{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_queries.png?nolink&600 |}}

For this trigger, an uneditable query with the following parameters is set:

  * Table to scan: Raw full netflow → Tables → Attacks detection → SSH bruteforce;
  * Period from: now - 30 minutes
  * Period from: now - 20 minutes


=== Conditions ===

{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_conditions.png?600 |}}

  * Add "+" 2 fields
  * Bind - AND
  * Function - avg
  * Series in field 1 - session lifetime to subscriber <= 20(ms)
  * Series in field 2 - number of sessions per subscriber >= 1500

<note>We set the conditions for the trigger action: The average duration of an SSH-session to a subscriber is less than 20ms and the number of SSH-sessions for the subscriber is more than 1500 in the processed time period.</note>

=== Errors processing ===

{{ dpi:qoe:use_cases:ddos_error.png?nolink&600 |}}

  * In the "If no error" field - no data
  * In the "If execution error or timeout" field - save the last state

<note>In this configuration, if there are no errors, the data will not be saved, if there are errors - the information about the suspicious activity will be saved.</note>

=== Actions ===
== E-mail ==

{{ dpi:qoe:use_cases:ddos_email.png?nolink&600 |}}

  * For automatic filling of the form - click on the "</>" icon
  * In the "Send to" field - specify an email address
  * With this setting, when triggered, a notification will be sent to the specified email address: ID, trigger name, status, link to the report (saved state).


== Notification ==
{{ dpi:qoe:use_cases:ddos_notification.png?nolink&600 |}}

  * For automatic filling of the form - click on the "</>" icon
  * Select the type of notification - "Warning"
  * This setting will create a notification in the Stingray Service Gateway

{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_alerting.png?nolink&600 |}}

You can get a link to the report in the notification menu

{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_notofication.png?nolink&400 |}}

Choose the notification
Click "Details"

{{ dpi:qoe:use_cases:dpiui2_triggers_bruteforce_notofication_details.png?nolink&400 |}}

Click on the link to the report - the report will open in a new browser tab.

== HTTP action ==

{{ dpi:qoe:use_cases:ddos_http.png?nolink&600 |}}

  * For automatic filling of the form - click on the "</>" icon
  * Choose the most suitable method for your ticket system and enter the URL.