http-open-proxy Configuration

« http-open-proxy »
v0.5 by crowdsecurity
Attack scenarioremediation:truetype:scan service:httpspoofable:0MITRE:T1595confidence:3

Detect scan for open proxy

Installation

cscli scenarios install crowdsecurity/http-open-proxy

Description

Take a remediation against any IP making a CONNECT HTTP request which returns a 400 status code. This is a trigger bucket, so only one request is enough to trigger the scenario.

YAML Configuration

1type: trigger
2name: crowdsecurity/http-open-proxy
3description: "Detect scan for open proxy"
4#apache returns 405, nginx 400
5filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_status in ['400','405'] && (evt.Parsed.verb == 'CONNECT' || evt.Parsed.request matches '^http[s]?://')"
6blackhole: 2m
7groupby: evt.Meta.source_ip
8labels:
9  service: http
10  type: scan
11  remediation: true
12  classification:
13    - attack.T1595
14  behavior: "http:scan"
15  label: "HTTP Open Proxy Probing"
16  spoofable: 0
17  confidence: 3
18

Hub configuration

« http-open-proxy »v0.5 by crowdsecurityAttack scenarioremediation:truetype:scan service:httpspoofable:0MITRE:T1595confidence:3

« http-open-proxy »
v0.5 by crowdsecurity
Attack scenarioremediation:truetype:scan service:httpspoofable:0MITRE:T1595confidence:3