dovecot-spam Scenario

« dovecot-spam »
v0.6 by crowdsecurity
Attack scenarioremediation:trueservice:dovecotspoofable:0MITRE:T1110confidence:3

Detect Dovecot bruteforce

Installation

cscli scenarios install crowdsecurity/dovecot-spam

Description

Spam detection for dovecot (capacity of 3 and leakspeed of 360s)

allows fail authentication attempt every 6 minutes with a burst of 3

Contribution by https://github.com/LtSich

YAML Configuration

1#contribution by @ltsich
2type: leaky
3name: crowdsecurity/dovecot-spam
4description: "Detect Dovecot bruteforce"
5debug: false
6filter: "evt.Meta.log_type == 'dovecot_logs' && evt.Meta.dovecot_login_result == 'auth_failed'"
7groupby: evt.Meta.source_ip
8capacity: 3
9leakspeed: "360s"
10blackhole: 5m
11labels:
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1110
16  behavior: "pop3/imap:bruteforce"
17  label: "Dovecot Bruteforce"
18  service: dovecot
19  remediation: true
20

Hub configuration

« dovecot-spam »v0.6 by crowdsecurityAttack scenarioremediation:trueservice:dovecotspoofable:0MITRE:T1110confidence:3

« dovecot-spam »
v0.6 by crowdsecurity
Attack scenarioremediation:trueservice:dovecotspoofable:0MITRE:T1110confidence:3