nginx-req-limit-exceeded Scenario

« nginx-req-limit-exceeded »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:2MITRE:T1498confidence:2

Detects IPs which violate nginx's user set request limit.

Installation

cscli scenarios install crowdsecurity/nginx-req-limit-exceeded

Description

Detects IPs which violate nginx's user set request limit.

IP is banned if it violates nginx's user set request limit more than 5 times in a minute.

YAML Configuration

1type: leaky
2#debug: true
3name: crowdsecurity/nginx-req-limit-exceeded
4description: "Detects IPs which violate nginx's user set request limit."
5filter: evt.Meta.sub_type == 'req_limit_exceeded'
6leakspeed: "60s"
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 5m
10labels:
11  remediation: true
12  confidence: 2
13  spoofable: 2
14  classification:
15    - attack.T1498
16  behavior: "http:dos"
17  label: "Nginx request limit exceeded"
18  service: http
19

Hub configuration

« nginx-req-limit-exceeded »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:2MITRE:T1498confidence:2

« nginx-req-limit-exceeded »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:2MITRE:T1498confidence:2