ssh-bad-keyexchange-bf Scenario

« ssh-bad-keyexchange-bf »
v0.2 by LePresidente
Attack scenarioremediation:trueservice:sshspoofable:0MITRE:T1110confidence:3

Detect ssh bad key exchange

Installation

cscli scenarios install LePresidente/ssh-bad-keyexchange-bf

Description

Detect failed ssh Key Exchanges :

leakspeed of 10s, capacity of 5 on same target ip

YAML Configuration

1# ssh bruteforce
2type: leaky
3name: lepresidente/ssh-bad-keyexchange-bf
4description: "Detect ssh bad key exchange"
5filter: "evt.Meta.log_type == 'ssh_bad_keyexchange'"
6leakspeed: "10s"
7references:
8  - http://wikipedia.com/ssh-bf-is-bad
9capacity: 5
10groupby: evt.Meta.source_ip
11blackhole: 1m
12reprocess: true
13labels:
14  service: ssh
15  behavior: "ssh:bruteforce"
16  confidence: 3
17  spoofable: 0
18  classification:
19    - attack.T1110
20  remediation: true
21  label: "SSH Bad Key Bruteforce"
22

Hub configuration

« ssh-bad-keyexchange-bf »v0.2 by LePresidenteAttack scenarioremediation:trueservice:sshspoofable:0MITRE:T1110confidence:3

« ssh-bad-keyexchange-bf »
v0.2 by LePresidente
Attack scenarioremediation:trueservice:sshspoofable:0MITRE:T1110confidence:3