ssh-slow-bf Configuration

« ssh-slow-bf »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:sshspoofable:0MITRE:T1110confidence:3

Detect slow ssh bruteforce

Installation

cscli scenarios install crowdsecurity/ssh-slow-bf

Description

Detect slow ssh bruteforce authentications :

leakspeed of 60s, capacity of 10 on same target user
leakspeed of 60s, capacity of 10 unique distinct users

YAML Configuration

1# ssh bruteforce
2type: leaky
3name: crowdsecurity/ssh-slow-bf
4description: "Detect slow ssh bruteforce"
5filter: "evt.Meta.log_type == 'ssh_failed-auth'"
6leakspeed: "60s"
7references:
8  - http://wikipedia.com/ssh-bf-is-bad
9capacity: 10
10groupby: evt.Meta.source_ip
11blackhole: 1m
12reprocess: true
13labels:
14  service: ssh
15  remediation: true
16  confidence: 3
17  spoofable: 0
18  classification:
19    - attack.T1110
20  behavior: "ssh:bruteforce"
21  label: "SSH Slow Bruteforce"
22---
23# ssh user-enum
24type: leaky
25name: crowdsecurity/ssh-slow-bf_user-enum
26description: "Detect slow ssh user enum bruteforce"
27filter: evt.Meta.log_type == 'ssh_failed-auth'
28groupby: evt.Meta.source_ip
29distinct: evt.Meta.target_user
30leakspeed: 60s
31capacity: 10
32blackhole: 1m
33labels:
34  service: ssh
35  remediation: true
36  confidence: 3
37  spoofable: 0
38  classification:
39    - attack.T1110
40  behavior: "ssh:bruteforce"
41  label: "SSH Slow User Enumeration"
42

Hub configuration

« ssh-slow-bf »v0.4 by crowdsecurityAttack scenarioremediation:trueservice:sshspoofable:0MITRE:T1110confidence:3

« ssh-slow-bf »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:sshspoofable:0MITRE:T1110confidence:3