http-dos-random-uri Scenario

« http-dos-random-uri »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1498confidence:2

Detect DoS tools using random uri

Installation

cscli scenarios install crowdsecurity/http-dos-random-uri

Description

This scenario detects DoS tools that issue a high number of requests, while varying the suffix URL to evade static rules.

Directly inspired by some specific DoS tools TTP.

⚠️ This scenario might trigger false positives, proper testing is advised ⚠️

YAML Configuration

1type: leaky
2format: 2.0
3#debug: true
4name: crowdsecurity/http-dos-random-uri
5description: "Detect DoS tools using random uri"
6#pattern seen in loic tool
7filter: |
8  evt.Meta.log_type == "http_access-log" &&
9  evt.Meta.http_verb == 'GET' &&
10  evt.Parsed.static_ressource == 'false' &&
11  Upper(evt.Parsed.file_frag) == evt.Parsed.file_frag &&
12  len(evt.Parsed.file_frag) == 6 &&
13  int(evt.Meta.http_args_len) == 0
14capacity: 30
15leakspeed: 1s
16groupby: "evt.Meta.source_ip"
17blackhole: 2m
18labels:
19  confidence: 2
20  spoofable: 0
21  classification:
22    - attack.T1498
23  behavior: "http:dos"
24  label: "HTTP DOS via random URI"
25  service: http
26  remediation: true
27

Hub configuration

« http-dos-random-uri »v0.4 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1498confidence:2

« http-dos-random-uri »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1498confidence:2