stirling-pdf-bf Configuration

« stirling-pdf-bf »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:stirling-pdfspoofable:0MITRE:T1110confidence:3

Detect stirling pdf bruteforce

Installation

cscli scenarios install crowdsecurity/stirling-pdf-bf

Description

Detects authentication bruteforce on stirling-pdf login panel with a capacity of 3 and a leakspeed of 10 seconds per event

YAML Configuration

1# stirling pdf bruteforce
2type: leaky
3name: crowdsecurity/stirling-pdf-bf
4description: "Detect stirling pdf bruteforce"
5filter: "evt.Meta.service == 'stirling-pdf' && evt.Meta.log_type == 'failed_authentication'"
6leakspeed: "10s"
7capacity: 3
8groupby: evt.Meta.source_ip
9blackhole: 1m
10labels:
11  service: stirling-pdf
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1110
16  label: "Stirling PDF Bruteforce"
17  behavior: "generic:bruteforce"
18  remediation: true
19

Hub configuration

« stirling-pdf-bf »v0.1 by crowdsecurityAttack scenarioremediation:trueservice:stirling-pdfspoofable:0MITRE:T1110confidence:3

« stirling-pdf-bf »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:stirling-pdfspoofable:0MITRE:T1110confidence:3