litespeed-admin-bf Scenario

« litespeed-admin-bf »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:litespeedspoofable:0MITRE:T1110confidence:3

Detect bruteforce against litespeed admin UI

Installation

cscli scenarios install crowdsecurity/litespeed-admin-bf

Description

Alert when a single IP that try to bruteforce litespeed admin UI.

Leakspeed of 10s, capacity of 5.

YAML Configuration

1type: leaky
2name: crowdsecurity/litespeed-admin-bf
3description: "Detect bruteforce against litespeed admin UI"
4filter: "evt.Meta.service == 'http' && evt.Meta.sub_type == 'litespeed_admin_auth_fail'"
5groupby: evt.Meta.source_ip
6capacity: 5
7leakspeed: "10s"
8blackhole: 1m
9labels:
10  remediation: true
11  classification:
12    - attack.T1110
13  behavior: "http:bruteforce"
14  label: "LiteSpeed Admin Bruteforce"
15  spoofable: 0
16  confidence: 3
17  service: litespeed
18

Hub configuration

« litespeed-admin-bf »v0.2 by crowdsecurityAttack scenarioremediation:trueservice:litespeedspoofable:0MITRE:T1110confidence:3

« litespeed-admin-bf »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:litespeedspoofable:0MITRE:T1110confidence:3