amavis-blocked Scenario

« amavis-blocked »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:amavisspoofable:0MITRE:T1203MITRE:T1204confidence:3

Ban IPs that are blocked by amavis

Installation

cscli scenarios install crowdsecurity/amavis-blocked

Description

This amavis scenario bans an IP as soon as it is detected sending messages that have been blocked by amavis.

YAML Configuration

1type: trigger
2name: crowdsecurity/amavis-blocked
3description: "Ban IPs that are blocked by amavis"
4filter: evt.Meta.log_type == 'amavis' && evt.Parsed.amavis_action == 'Blocked' && evt.Parsed.amavis_category == 'INFECTED'
5groupby: evt.Meta.source_ip
6blackhole: 5m
7labels:
8  service: amavis
9  confidence: 3
10  spoofable: 0
11  classification:
12    - attack.T1203
13    - attack.T1204
14  behavior: "mail:malware"
15  label: "Infected Email"
16  remediation: true
17

Hub configuration

« amavis-blocked »v0.1 by crowdsecurityAttack scenarioremediation:trueservice:amavisspoofable:0MITRE:T1203MITRE:T1204confidence:3

« amavis-blocked »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:amavisspoofable:0MITRE:T1203MITRE:T1204confidence:3