http-dos-bypass-cache Scenario

« http-dos-bypass-cache »
v0.5 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1498confidence:2

Detect DoS tools bypassing cache every request

Installation

cscli scenarios install crowdsecurity/http-dos-bypass-cache

Description

This scenario detects DoS tools that issue a high number of requests, while attempting to bypass cache rules by appending random numeric suffix.

Directly inspired by some specific DoS tools TTP.

⚠️ This scenario might trigger false positives, proper testing is advised ⚠️

YAML Configuration

1type: leaky
2name: crowdsecurity/http-dos-bypass-cache
3description: "Detect DoS tools bypassing cache every request"
4#as seen in cc-attack tool
5filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_args_len != '' && int(evt.Meta.http_args_len) >= 7 && int(evt.Meta.http_args_len) <= 12 && evt.Parsed.http_args matches '^[0-9]+$' && evt.Parsed.static_ressource == 'false'"
6distinct: "evt.Parsed.http_args"
7leakspeed: 1s
8capacity: 30
9#debug: true
10cache_size: 10
11groupby: "evt.Meta.source_ip"
12blackhole: 1m
13labels:
14  service: http
15  remediation: true
16  confidence: 2
17  spoofable: 0
18  classification:
19    - attack.T1498
20  behavior: "http:dos"
21  label: "HTTP DOS with cache bypass"
22

Hub configuration

« http-dos-bypass-cache »v0.5 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1498confidence:2

« http-dos-bypass-cache »
v0.5 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1498confidence:2