redmine-bf Configuration

« redmine-bf »
v0.2 by LePresidente
Attack scenarioremediation:trueservice:redminespoofable:0MITRE:T1110confidence:3

Detect Redmine bruteforce attacks

Installation

cscli scenarios install LePresidente/redmine-bf

Description

Detect failed Redmine authentications:

leakspeed of 20s, capacity of 5 on same target user
leakspeed of 1m, capacity of 5 unique distinct users

YAML Configuration

1# Redmine bruteforce
2type: leaky
3name: LePresidente/redmine-bf
4description: "Detect Redmine bruteforce attacks"
5filter: "evt.Meta.log_type == 'redmine_failed_auth'"
6leakspeed: 1m
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 5m
10reprocess: true
11labels:
12  service: redmine
13  behavior: "http:bruteforce"
14  classification:
15    - attack.T1110
16  label: "Redmine Bruteforce"
17  spoofable: 0
18  confidence: 3
19  remediation: true
20---
21# Redmine user-enum
22type: leaky
23name: LePresidente/redmine-bf_user-enum
24description: "Detect Redmine user enum bruteforce"
25filter: "evt.Meta.log_type == 'redmine_failed_auth'"
26groupby: evt.Meta.source_ip
27distinct: evt.Meta.user
28leakspeed: 10s
29capacity: 5
30blackhole: 1m
31labels:
32  service: redmine
33  behavior: "http:bruteforce"
34  spoofable: 0
35  confidence: 3
36  classification:
37    - attack.T1589
38    - attack.T1110
39  label: "Redmine Enumeration"
40  remediation: true
41

Hub configuration

« redmine-bf »v0.2 by LePresidenteAttack scenarioremediation:trueservice:redminespoofable:0MITRE:T1110confidence:3

« redmine-bf »
v0.2 by LePresidente
Attack scenarioremediation:trueservice:redminespoofable:0MITRE:T1110confidence:3