#
# bro code for exercise 4c
#
# Start Bro:  
#    bro syslog
# Then send events using broclient: 
#   cat syslog.broc | broclient


@load listen-clear
@load remote
@load notice

redef enum Notice += {
    SSHLoginFail,   
};


redef Remote::destinations += {
        ["syslog"] = [$host = 127.0.0.1, $events = /.*/, $connect=F, $retry = 60 secs, $ssl=F],
};


const max_failures =   5;    # across all hosts, from a single source

global source_list: table[addr] of count  &default=0 ;
global alarmed_hosts: table[addr] of count  &default=0 ;


global sshdlog = open_log_file("sshd") &redef;

event ssh_fail_login(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string)
{   
    print sshdlog, fmt("%.1f ssh_fail_login %s -> %s@%s  %s", ts, orig_h, account, resp_h, auth_type);

    ++source_list[orig_h];

    if (source_list[orig_h] > max_failures && orig_h !in alarmed_hosts)
    {
        NOTICE([$note=SSHLoginFail, $src=orig_h,
                $msg=fmt("%s Exceeded %d failed logins to multiple hosts",
                    orig_h, max_failures)]);
        ++alarmed_hosts[orig_h];
    }
}


event bro_done()
{

    for ( orig in source_list )
        print fmt("Number failed ssh attempts to host %s: %d ",
                orig, source_list[orig]);
}