crs-anomaly-score Scenario

« crs-anomaly-score »
v0.1 by barnoux
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595MITRE:T1190confidence:2

Web exploitation detected via Core Rule Set inbound anomaly scoring set by the user in crs-setup.conf

Installation

cscli scenarios install barnoux/crs-anomaly-score

YAML Configuration

1type: trigger
2name: barnoux/crs-anomaly-score
3description: "Web exploitation detected via Core Rule Set inbound anomaly scoring set by the user in crs-setup.conf"
4filter: evt.Meta.log_type == 'modsecurity' && evt.Parsed.ruleid == '949110'
5groupby: evt.Meta.source_ip
6blackhole: 2m
7labels:
8  remediation: true
9  classification:
10    - attack.T1595
11    - attack.T1190
12  behavior: "http:exploit"
13  label: "CRS Anomaly Alert"
14  spoofable: 0
15  confidence: 2
16  service: http
17

Hub configuration

« crs-anomaly-score »v0.1 by barnouxAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595MITRE:T1190confidence:2

« crs-anomaly-score »
v0.1 by barnoux
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595MITRE:T1190confidence:2