http-dos-switching-ua Configuration

« http-dos-switching-ua »
v0.5 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1498confidence:2

Detect DoS tools switching user-agent too fast

Installation

cscli scenarios install crowdsecurity/http-dos-switching-ua

Description

This scenario detects specific DoS tools that issue a high number of requests, while changing the User-Agent every request.

Directly inspired by some specific DoS tools TTP.

⚠️ This scenario might trigger false positives, proper testing is advised ⚠️

YAML Configuration

1type: leaky
2format: 2.0
3#debug: true
4name: crowdsecurity/http-dos-swithcing-ua
5description: "Detect DoS tools switching user-agent too fast"
6#pattern seen in mhddos tool
7filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"]'
8capacity: 10
9distinct: evt.Parsed.http_user_agent
10leakspeed: 8s
11groupby: "evt.Meta.source_ip"
12blackhole: 2m
13labels:
14  service: http
15  remediation: true
16  confidence: 2
17  spoofable: 0
18  classification:
19    - attack.T1498
20  behavior: "http:dos"
21  label: "HTTP DOS with varying UA"

Hub configuration

« http-dos-switching-ua »v0.5 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1498confidence:2

« http-dos-switching-ua »
v0.5 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1498confidence:2