CESNET
BruteForce Detector changes
Default config changes: At least 90/100 suspicious flows needed to trigger an attack. (up from 30/50) (90% of flows must be suspicious when there is more than that, this was not changed) Host record list now holds only 500 (down from 1000) records, but a record now has a timeout of 60 minutes (up from 30min).
Refactoring changes Bugfixes
Changes to evaluating attacks ( SSHHost/RDPHost/TELNETHost::checkForAttack ) should solve the issue with "OR evaluation" in incoming/outgoing direction. (mentioned by @vaclavbartos )
I briefly looked at the changes and noticed there are TABs used for indentation somewhere - please, replace them with 4 spaces to keep it consistent with the rest of the code and our codig style.
I agree the naming of directions as incoming/outgoing is very unclear (as well as some other variables in the code) and at least this should be renamed (both in code and documentation). I propose c2s (client2server) and s2c (server2client), which is maybe quite complex, but unambiguous. If someone have better idea, just write.
What is the current state of this PR? Is there anything we want to add or fix? Based on commit messages, it seems to me that changes were just about refactoring and minor improvements without affecting functionality, right?
We'd need to improve this detector to identify both source and target of an attack, which is probably not covered in this PR...
@petrmiculek This PR is quite old... Can you please resolve conflicts so we can merge it (if it is finished)?