exim-bf Configuration

« exim-bf »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:smtpspoofable:0MITRE:T1110confidence:3

Detect Exim brute force

Installation

cscli scenarios install crowdsecurity/exim-bf

Description

Detect bruteforce on Exim mail server.

leakspeed of 10s, capacity of 5 on same ip
leakspeed of 10s, capacity of 5 on same target user

YAML Configuration

1type: leaky
2#debug: true
3name: crowdsecurity/exim-bf
4description: "Detect Exim brute force"
5filter: "evt.Meta.log_type == 'exim_failed_auth'"
6groupby: evt.Meta.source_ip
7capacity: 5
8leakspeed: "10s"
9blackhole: 1m
10labels:
11  confidence: 3
12  spoofable: 0
13  classification:
14    - attack.T1110
15  behavior: "pop3/imap:bruteforce"
16  label: "Exim Bruteforce"
17  remediation: true
18  service: smtp
19---
20type: leaky
21#debug: true
22name: crowdsecurity/exim-user-bf
23description: "Detect Exim user email brute force"
24filter: "evt.Meta.log_type == 'exim_failed_auth'"
25groupby: evt.Meta.source_ip
26distinct: evt.Meta.username
27capacity: 5
28leakspeed: "10s"
29blackhole: 1m
30labels:
31  confidence: 3
32  spoofable: 0
33  classification:
34    - attack.T1110
35  behavior: "pop3/imap:bruteforce"
36  label: "Exim Bruteforce"
37  remediation: true
38  service: smtp
39

Hub configuration

« exim-bf »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:smtpspoofable:0MITRE:T1110confidence:3

« exim-bf »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:smtpspoofable:0MITRE:T1110confidence:3