freeswitch-user-enumeration Configuration

« freeswitch-user-enumeration »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:freeswitchspoofable:0MITRE:T1589confidence:3

Detect freeswitch user enumeration

Installation

cscli scenarios install crowdsecurity/freeswitch-user-enumeration

Description

FreeSWITCH will log when an a not found user. This scenario will detect when an IP has more than 5 attempts. There is also a slower scenarios to detect when an IP has more than 20 attempts.

YAML Configuration

1type: leaky
2name: crowdsecurity/freeswitch-user-enumeration
3description: "Detect freeswitch user enumeration"
4filter: "evt.Meta.service == 'freeswitch' && evt.Meta.sub_type == 'user_enumeration'"
5leakspeed: "10s"
6capacity: 5
7groupby: evt.Meta.source_ip
8blackhole: 1m
9reprocess: true
10labels:
11  service: freeswitch
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1589
16  behavior: "generic:bruteforce"
17  label: "Freeswitch User Enumeration"
18  remediation: true
19---
20type: leaky
21name: crowdsecurity/freeswitch-user-enumeration
22description: "Detect freeswitch user enumeration"
23filter: "evt.Meta.service == 'freeswitch' && evt.Meta.sub_type == 'user_enumeration'"
24leakspeed: "1m"
25capacity: 20
26groupby: evt.Meta.source_ip
27blackhole: 1m
28labels:
29  service: freeswitch
30  confidence: 3
31  spoofable: 0
32  classification:
33    - attack.T1589
34  behavior: "generic:bruteforce"
35  label: "Freeswitch User Enumeration"
36  remediation: true
37

Hub configuration

« freeswitch-user-enumeration »v0.4 by crowdsecurityAttack scenarioremediation:trueservice:freeswitchspoofable:0MITRE:T1589confidence:3

« freeswitch-user-enumeration »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:freeswitchspoofable:0MITRE:T1589confidence:3