SSH login by password guesser from Zeek
Set up the zeek integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect the SSH login by password guesser notice.
Strategy
This rule monitors Zeek logs for the notice SSH::Login_By_Password_Guesser. The notice is generated if a successful login attempt is detected for a host that has been previously identified as a “password guesser”.
Triage and response
- Identify the owners of the host that has been accessed.
- Work with the team to understand if this authentication was expected/legitimate.
- If it is determined that the activity is malicious:
- Block the IP address, if it aligns with organization incident response processes.
- Begin your organization’s incident response process and investigate.
