crowdsec-appsec-outofband Scenario

« crowdsec-appsec-outofband »
v0.7 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:httpspoofable:0MITRE:T1190confidence:1

IP has made more than 5 requests that triggered out-of-band appsec rules

Installation

cscli scenarios install crowdsecurity/crowdsec-appsec-outofband

YAML Configuration

1type: leaky
2filter: evt.Parsed.source == 'crowdsec-appsec' && evt.Appsec.HasOutBandMatches == true && evt.Parsed.outofband_action in ["deny", "drop"]
3name: crowdsecurity/crowdsec-appsec-outofband
4description: IP has made more than 5 requests that triggered out-of-band appsec rules
5blackhole: 2m
6leakspeed: 30s
7capacity: 5
8labels:
9  type: exploit
10  behavior: "http:exploit"
11  remediation: true
12  confidence: 1
13  spoofable: 0
14  classification:
15    - attack.T1190
16  label: "Triggered multiple OutOfBand CrowdSec AppSec rules"
17  service: http
18groupby: "evt.Meta.source_ip"
19#---
20# at least requests blocked on 3 distinct URIs
21#type: leaky
22#filter: evt.Parsed.source == 'crowdsec-appsec' && evt.Appsec.HasOutBandMatches == true && evt.Parsed.outofband_action in ["deny", "drop"]
23#name: crowdsecurity/waf-probing
24#description: "WAF probing"
25#blackhole: 2m
26#leakspeed: 60s
27#capacity: 5
28#groupby: "evt.Meta.source_ip + evt.Parsed.target_uri"
29#labels:
30#  type: exploit
31#  remediation: true
32

Hub configuration

« crowdsec-appsec-outofband »v0.7 by crowdsecurityAttack scenarioremediation:truetype:exploit service:httpspoofable:0MITRE:T1190confidence:1

« crowdsec-appsec-outofband »
v0.7 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:httpspoofable:0MITRE:T1190confidence:1