cscli scenarios install crowdsecurity/http-generic-bfAlert when a single IP that try to bruteforce http basic auth.
Leakspeed of 10s, capacity of 5.
1# 404 scan2type: leaky3#debug: true4name: crowdsecurity/http-generic-bf5description: "Detect generic http brute force"6filter: "evt.Meta.service == 'http' && evt.Meta.sub_type == 'auth_fail'"7groupby: evt.Meta.source_ip8capacity: 59leakspeed: "10s"10blackhole: 1m11labels:12 confidence: 313 spoofable: 014 classification:15 - attack.T111016 behavior: "http:bruteforce"17 label: "HTTP Bruteforce"18 service: http19 remediation: true20---21# Generic 401 Authorization Errors22type: leaky23#debug: true24name: LePresidente/http-generic-401-bf25description: "Detect generic 401 Authorization error brute force"26filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '401'"27groupby: evt.Meta.source_ip28capacity: 529leakspeed: "10s"30blackhole: 1m31labels:32 confidence: 333 spoofable: 034 classification:35 - attack.T111036 behavior: "http:bruteforce"37 label: "HTTP Bruteforce"38 service: http39 remediation: true40---41# Generic 403 Forbidden (Authorization) Errors42type: leaky43#debug: true44name: LePresidente/http-generic-403-bf45description: "Detect generic 403 Forbidden (Authorization) error brute force"46filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '403'"47groupby: evt.Meta.source_ip48capacity: 549leakspeed: "10s"50blackhole: 1m51labels:52 confidence: 353 spoofable: 054 classification:55 - attack.T111056 behavior: "http:bruteforce"57 label: "HTTP Bruteforce"58 service: http59 remediation: true60