Hub configuration

More info

calibre-web-bf Scenario

« calibre-web-bf »
v0.1 by Jgigantino31
Attack scenarioremediation:trueservice:calibre-webspoofable:0MITRE:T1110confidence:3

Detect calibre-web bruteforce

Installation

cscli scenarios install Jgigantino31/calibre-web-bf

Description

Detect failed calibre-web authentications:

leakspeed of 20s, capacity of 5 on same target user
leakspeed of 1m, capacity of 5 unique distinct users

YAML Configuration

1# calibre-web BF scan
2name: Jgigantino31/calibre-web-bf
3description: "Detect calibre-web bruteforce"
4filter: "evt.Meta.log_type == 'calibre-web_failed_auth'"
5#debug: true
6type: leaky
7groupby: evt.Meta.source_ip
8leakspeed: 20s
9capacity: 5
10blackhole: 1m
11labels:
12  service: calibre-web
13  behavior: "http:bruteforce"
14  spoofable: 0
15  confidence: 3
16  classification:
17    - attack.T1110
18  label: "Calibre-Web Bruteforce"
19  remediation: true
20---
21# calibre-web user-enum
22type: leaky
23name: Jgigantino31/calibre-web-bf_user-enum
24description: "Detect calibre-web user enum bruteforce"
25filter: "evt.Meta.log_type == 'calibre-web_failed_auth'"
26groupby: evt.Meta.source_ip
27distinct: evt.Meta.user
28leakspeed: 1m
29capacity: 5
30blackhole: 1m
31labels:
32  service: calibre-web
33  behavior: "http:bruteforce"
34  spoofable: 0
35  confidence: 3
36  classification:
37    - attack.T1589
38    - attack.T1110
39  label: "Calibre-Web User Enumeration"
40  remediation: true
41

Hub configuration

« calibre-web-bf »v0.1 by Jgigantino31Attack scenarioremediation:trueservice:calibre-webspoofable:0MITRE:T1110confidence:3

« calibre-web-bf »
v0.1 by Jgigantino31
Attack scenarioremediation:trueservice:calibre-webspoofable:0MITRE:T1110confidence:3