http-crawl-non_statics Configuration

« http-crawl-non_statics »
v0.7 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:1

Detect aggressive crawl on non static resources

Installation

cscli scenarios install crowdsecurity/http-crawl-non_statics

Description

Detect crawl (http GET/HEAD) on non-static (jpg,css,js,etc.) http pages from a single ip.

Leakspeed of 0.5s, capacity of 40

YAML Configuration

1type: leaky
2name: crowdsecurity/http-crawl-non_statics
3description: "Detect aggressive crawl on non static resources"
4filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && evt.Parsed.static_ressource == 'false' && evt.Parsed.verb in ['GET', 'HEAD']"
5distinct: "evt.Parsed.file_name"
6leakspeed: 0.5s
7capacity: 40
8#debug: true
9#this limits the memory cache (and event_sequences in output) to five events
10cache_size: 5
11groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
12blackhole: 1m
13labels:
14  confidence: 1
15  spoofable: 0
16  classification:
17    - attack.T1595
18  behavior: "http:crawl"
19  service: http
20  label: "Aggressive Crawl"
21  remediation: true
22

Hub configuration

« http-crawl-non_statics »v0.7 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:1

« http-crawl-non_statics »
v0.7 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:1