ssh-bf Configuration

« ssh-bf »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:sshspoofable:0MITRE:T1110confidence:3

Detect ssh bruteforce

Installation

cscli scenarios install crowdsecurity/ssh-bf

Description

Detect failed ssh authentications :

leakspeed of 10s, capacity of 5 on same target user
leakspeed of 10s, capacity of 5 unique distinct users

YAML Configuration

1# ssh bruteforce
2type: leaky
3name: crowdsecurity/ssh-bf
4description: "Detect ssh bruteforce"
5filter: "evt.Meta.log_type == 'ssh_failed-auth'"
6leakspeed: "10s"
7references:
8  - http://wikipedia.com/ssh-bf-is-bad
9capacity: 5
10groupby: evt.Meta.source_ip
11blackhole: 1m
12reprocess: true
13labels:
14  service: ssh
15  confidence: 3
16  spoofable: 0
17  classification:
18    - attack.T1110
19  label: "SSH Bruteforce"
20  behavior: "ssh:bruteforce"
21  remediation: true
22---
23# ssh user-enum
24type: leaky
25name: crowdsecurity/ssh-bf_user-enum
26description: "Detect ssh user enum bruteforce"
27filter: evt.Meta.log_type == 'ssh_failed-auth'
28groupby: evt.Meta.source_ip
29distinct: evt.Meta.target_user
30leakspeed: 10s
31capacity: 5
32blackhole: 1m
33labels:
34  service: ssh
35  remediation: true
36  confidence: 3
37  spoofable: 0
38  classification:
39    - attack.T1589
40  behavior: "ssh:bruteforce"
41  label: "SSH User Enumeration"
42

Hub configuration

« ssh-bf »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:sshspoofable:0MITRE:T1110confidence:3

« ssh-bf »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:sshspoofable:0MITRE:T1110confidence:3