Skip to content

vsftpd: implement 3-tier bruteforce detection with impossible travel#1568

Draft
LaurenceJJones wants to merge 1 commit intocrowdsecurity:masterfrom
LaurenceJJones:vsftpd-slow-bf
Draft

vsftpd: implement 3-tier bruteforce detection with impossible travel#1568
LaurenceJJones wants to merge 1 commit intocrowdsecurity:masterfrom
LaurenceJJones:vsftpd-slow-bf

Conversation

@LaurenceJJones
Copy link
Member

@LaurenceJJones LaurenceJJones commented Nov 5, 2025

Description

  • Add service: ftp metadata to vsftpd-logs parser
  • Create vsftpd-success-logs parser for OK LOGIN authentications
    • Uses generic log_type: auth_success for impossible-travel compatibility

3-Tier Bruteforce Detection (following SSH/SMB pattern):

  • vsftpd-bf: fast attacks (5 failures in ~50s, 0-10s intervals)
  • vsftpd-slow-bf: slow attacks (10 failures in ~10min, 10-60s intervals)
  • vsftpd-time-based-bf: time-based attacks (3 failures, >2min median, >120s intervals)
    • Uses MedianInterval() helper with conditional type
    • Includes cancel_on for successful authentication (false positive reduction)
    • Filters both failed and successful auth events

Collections:

  • Update vsftpd collection with both parsers and 3 scenarios
  • Create vsftpd-impossible-travel collection (parser + impossible-travel scenarios)

Testing:

  • vsftpd-logs: regenerate with service metadata
  • vsftpd-bf: update to private IPs and regenerate assertions
  • vsftpd-slow-bf: new test with 16 events at 15s intervals
  • vsftpd-time-based-bf: new test with 6 events at 3-4min intervals
  • vsftpd-success-logs: new parser test with 3 successful authentications
  • vsftpd-impossible-travel: new test with AU/US IPs
  • All 6 tests passing

Provides gap-free coverage against all attack speeds for the most popular FTP server.

Checklist

  • I have read the contributing guide
  • I have tested my changes locally
  • For new parsers or scenarios, tests have been added
  • I have run the hub linter and no issues were reported (see contributing guide)
  • Automated tests are passing
  • AI was used to generate any/all content of this PR

@LaurenceJJones
vsftpd: implement 3-tier bruteforce detection with impossible travel
f9438f9 
- Add service: ftp metadata to vsftpd-logs parser
- Create vsftpd-success-logs parser for OK LOGIN authentications
  - Uses generic log_type: auth_success for impossible-travel compatibility

3-Tier Bruteforce Detection (following SSH/SMB pattern):
- vsftpd-bf: fast attacks (5 failures in ~50s, 0-10s intervals)
- vsftpd-slow-bf: slow attacks (10 failures in ~10min, 10-60s intervals)
- vsftpd-time-based-bf: time-based attacks (3 failures, >2min median, >120s intervals)
  - Uses MedianInterval() helper with conditional type
  - Includes cancel_on for successful authentication (false positive reduction)
  - Filters both failed and successful auth events

Collections:
- Update vsftpd collection with both parsers and 3 scenarios
- Create vsftpd-impossible-travel collection (parser + impossible-travel scenarios)

Testing:
- vsftpd-logs: regenerate with service metadata
- vsftpd-bf: update to private IPs and regenerate assertions
- vsftpd-slow-bf: new test with 16 events at 15s intervals
- vsftpd-time-based-bf: new test with 6 events at 3-4min intervals
- vsftpd-success-logs: new parser test with 3 successful authentications
- vsftpd-impossible-travel: new test with AU/US IPs
- All 6 tests passing

Provides gap-free coverage against all attack speeds for the most popular FTP server.
@LaurenceJJones LaurenceJJones marked this pull request as draft November 5, 2025 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LaurenceJJones