zoneminder-bf Scenario

« zoneminder-bf »
v0.2 by baudneo
Attack scenarioremediation:truetype:bruteforce service:zoneminderspoofable:0MITRE:T1110confidence:3

Detect ZoneMinder bruteforce

Installation

cscli scenarios install baudneo/zoneminder-bf

Description

Bruteforce/User Enumeration protection for ZoneMinder.

YAML Configuration

1# loging bruteforce
2type: leaky
3name: baudneo/zoneminder-bf
4description: "Detect ZoneMinder bruteforce"
5filter: "evt.Meta.log_subtype == 'zm_bad_password'"
6groupby: "evt.Meta.source_ip"
7capacity: 4
8leakspeed: "10s"
9blackhole: 1m
10labels:
11  service: zoneminder
12  type: bruteforce
13  spoofable: 0
14  confidence: 3
15  remediation: true
16  classification:
17    - attack.T1110
18  behavior: "http:bruteforce"
19  label: "Zoneminder bruteforce"
20---
21# user enum
22type: leaky
23name: baudneo/zoneminder-bf
24description: "Detect ZoneMinder user enumeration"
25filter: "evt.Meta.log_subtype == 'zm_bad_user'"
26groupby: "evt.Meta.source_ip"
27distinct: "evt.Meta.username"
28capacity: 4
29leakspeed: "10s"
30blackhole: 1m
31labels:
32  service: zoneminder
33  type: bruteforce
34  spoofable: 0
35  confidence: 3
36  remediation: true
37  classification:
38    - attack.T1589
39    - attack.T1110
40  behavior: "http:bruteforce"
41  label: "Zoneminder user enumeration"
42

Hub configuration

« zoneminder-bf »v0.2 by baudneoAttack scenarioremediation:truetype:bruteforce service:zoneminderspoofable:0MITRE:T1110confidence:3

« zoneminder-bf »
v0.2 by baudneo
Attack scenarioremediation:truetype:bruteforce service:zoneminderspoofable:0MITRE:T1110confidence:3