endlessh-bf Configuration

« endlessh-bf »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:endlesshspoofable:0MITRE:T1110confidence:3

Detect SSH bruteforce caught by Endlessh

Installation

cscli scenarios install crowdsecurity/endlessh-bf

YAML Configuration

1# endlessh bruteforce
2type: leaky
3name: crowdsecurity/endlessh-bf
4description: "Detect SSH bruteforce caught by Endlessh"
5filter: "evt.Meta.log_type == 'endlessh_accept'"
6leakspeed: "5m"
7references:
8  - http://wikipedia.com/ssh-bf-is-bad
9capacity: 5
10groupby: evt.Meta.source_ip
11blackhole: 120m
12reprocess: true
13labels:
14  confidence: 3
15  spoofable: 0
16  classification:
17    - attack.T1110
18  behavior: "ssh:bruteforce"
19  label: "Endlessh Bruteforce"
20  service: endlessh
21  remediation: true
22

Hub configuration

« endlessh-bf »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:endlesshspoofable:0MITRE:T1110confidence:3

« endlessh-bf »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:endlesshspoofable:0MITRE:T1110confidence:3