rules/linux/credential-access/T1110_ssh_bruteforce.yml

24 lines · yaml

title: SSH Brute Force
id: 975ada2e-e9a5-4ac0-b420-f8c020c64a24
status: experimental
description: >
  Correlates repeated SSH authentication failures from a single source within a short
  window. This is the alerting rule; the per-event base rule (ssh_auth_failure) is
  informational on its own.
references:
  - https://attack.mitre.org/techniques/T1110/
author: Zion Boggan
date: 2026-05-15
tags:
  - attack.credential_access
  - attack.t1110
correlation:
  type: event_count
  rules:
    - ssh_auth_failure
  group-by:
    - src_ip
  timespan: 2m
  condition:
    gte: 8
level: high

1	title: SSH Brute Force
2	id: 975ada2e-e9a5-4ac0-b420-f8c020c64a24
3	status: experimental
4	description: >
5	Correlates repeated SSH authentication failures from a single source within a short
6	window. This is the alerting rule; the per-event base rule (ssh_auth_failure) is
7	informational on its own.
8	references:
9	- https://attack.mitre.org/techniques/T1110/
10	author: Zion Boggan
11	date: 2026-05-15
12	tags:
13	- attack.credential_access
14	- attack.t1110
15	correlation:
16	type: event_count
17	rules:
18	- ssh_auth_failure
19	group-by:
20	- src_ip
21	timespan: 2m
22	condition:
23	gte: 8
24	level: high