freeswitch-bf Configuration

« freeswitch-bf »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:freeswitchspoofable:0MITRE:T1110confidence:3

Detect freeswitch auth bruteforce

Installation

cscli scenarios install crowdsecurity/freeswitch-bf

Description

freeSWITCH logs when an authentication attempt fails. This scenario will detect when an IP has more than 5 failed attempts. There is also a slower scenarios to detect when an IP has more than 20 failed attempts.

YAML Configuration

1type: leaky
2name: crowdsecurity/freeswitch-bf
3description: "Detect freeswitch auth bruteforce"
4filter: "evt.Meta.service == 'freeswitch' && evt.Meta.sub_type == 'auth_failure'"
5leakspeed: "10s"
6capacity: 5
7groupby: evt.Meta.source_ip
8blackhole: 1m
9reprocess: true
10labels:
11  service: freeswitch
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1110
16  behavior: "generic:bruteforce"
17  label: "Freeswitch Bruteforce"
18  remediation: true
19
20---
21type: leaky
22name: crowdsecurity/freeswitch-slow-bf
23description: "Detect freeswitch auth bruteforce"
24filter: "evt.Meta.service == 'freeswitch' && evt.Meta.sub_type == 'auth_failure'"
25leakspeed: "1m"
26capacity: 20
27groupby: evt.Meta.source_ip
28blackhole: 1m
29labels:
30  service: freeswitch
31  confidence: 3
32  spoofable: 0
33  classification:
34    - attack.T1110
35  behavior: "generic:bruteforce"
36  label: "Freeswitch Bruteforce"
37  remediation: true
38

Hub configuration

« freeswitch-bf »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:freeswitchspoofable:0MITRE:T1110confidence:3

« freeswitch-bf »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:freeswitchspoofable:0MITRE:T1110confidence:3