ssh-time-based-bf Scenario

Detect time-based ssh bruteforce attempts that evade traditional rate limiting with false positive reduction:

Uses conditional type with capacity -1 (unlimited)
Triggers when at least 4 failed authentication attempts occur
Median interval between failed attempts exceeds 10 minutes
False positive reduction: Uses cancel_on to cancel bucket if user successfully authenticates
- Prevents "forgot password" scenarios from triggering alerts
- Standard variant: Cancels on ANY successful login from same IP
- User-enum variant: Only cancels for same IP + same username combination
- Attackers trying multiple usernames won't be excused by one success (in user-enum variant)
Leakspeed of 2h naturally caps maximum interval (~40-60 minutes for 3 events)
Remediation disabled (labels set to remediation: false)
Uses MedianInterval() helper to detect consistent timing patterns (more robust against outliers)
Requires crowdsecurity/sshd-success-logs parser for cancel_on functionality

Two variants:

ssh-time-based-bf: Standard bruteforce detection (4 failed logins from same IP)
ssh-time-based-bf_user-enum: User enumeration detection (4 distinct usernames from same IP)

This scenario complements the standard ssh-bf (capacity 5, leakspeed 10s) and ssh-slow-bf (capacity 10, leakspeed 60s) scenarios with no overlap:

ssh-bf catches 5 failures within ~50 seconds (rate-based)
ssh-slow-bf catches 10 failures within ~10 minutes (rate-based)
ssh-time-based-bf catches 4 failures with median interval >10 minutes (time-pattern-based, naturally capped by 2h leakspeed)

1# ssh time-based bruteforce with false positive reduction

2type: conditional

3name: crowdsecurity/ssh-time-based-bf

4description: "Detect time-based ssh bruteforce attempts that evade rate limiting (with false positive reduction)"

5filter: "evt.Meta.service == 'ssh' && evt.Meta.log_type in ['ssh_failed-auth', 'auth_success']"

6groupby: evt.Meta.source_ip

7capacity: -1

8cancel_on: "evt.Meta.log_type == 'auth_success'"

9condition: |

10 let failedAuths = filter(queue.Queue, {#.Meta.log_type == 'ssh_failed-auth'});

11 len(failedAuths) >= 4 &&

12 MedianInterval(map(failedAuths[-4:], {#.Time})) > duration("10m")

13leakspeed: 2h

14blackhole: 5m

15reprocess: true

16labels:

17 service: ssh

18 behavior: "ssh:bruteforce"

19 spoofable: 0

20 confidence: 3

21 classification:

22 - attack.T1110

23 label: "SSH Time-Based Bruteforce"

24 remediation: false

25---

26# ssh user-enum time-based with false positive reduction

27type: conditional

28name: crowdsecurity/ssh-time-based-bf_user-enum

29description: "Detect time-based ssh user enum bruteforce attempts (with false positive reduction)"

30filter: "evt.Meta.service == 'ssh' && evt.Meta.log_type in ['ssh_failed-auth', 'auth_success']"

31groupby: evt.Meta.source_ip

32distinct: evt.Meta.target_user

33capacity: -1

34cancel_on: "evt.Meta.log_type == 'auth_success'"

35condition: |

36 let failedAuths = filter(queue.Queue, {#.Meta.log_type == 'ssh_failed-auth'});

37 len(failedAuths) >= 4 &&

38 MedianInterval(map(failedAuths[-4:], {#.Time})) > duration("10m")

39leakspeed: 2h

40blackhole: 5m

41reprocess: true

42labels:

43 service: ssh

44 behavior: "ssh:bruteforce"

45 spoofable: 0

46 confidence: 3

47 classification:

48 - attack.T1589

49 - attack.T1110

50 label: "SSH Time-Based User Enumeration"

51 remediation: false

Hub configuration

« ssh-time-based-bf »
v0.2 by crowdsecurity
Attack scenarioservice:sshspoofable:0MITRE:T1110confidence:3

Hub configuration

« ssh-time-based-bf »v0.2 by crowdsecurityAttack scenarioservice:sshspoofable:0MITRE:T1110confidence:3

« ssh-time-based-bf »
v0.2 by crowdsecurity
Attack scenarioservice:sshspoofable:0MITRE:T1110confidence:3