odoo-bf_user-enum Scenario

« odoo-bf_user-enum »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:odoospoofable:0MITRE:T1110confidence:3

Detect bruteforce on odoo web interface

Installation

cscli scenarios install crowdsecurity/odoo-bf_user-enum

Description

Detect failed odoo authentications and user enum:

leakspeed of 10s, capacity of 5 from same IP
leakspeed of 10s, capacity of 5 on same target user

YAML Configuration

1# Odoo web auth bruteforce
2type: leaky
3#debug: true
4name: crowdsecurity/odoo-bf
5description: "Detect bruteforce on odoo web interface"
6filter: evt.Meta.log_type == 'odoo_failed_auth'
7leakspeed: "10s"
8capacity: 5
9groupby: evt.Meta.source_ip
10blackhole: 5m
11labels:
12  remediation: true
13  confidence: 3
14  spoofable: 0
15  classification:
16    - attack.T1110
17  behavior: "http:bruteforce"
18  label: "Odoo Bruteforce"
19  service: odoo
20---
21# Odoo web auth user_enum
22type: leaky
23name: crowdsecurity/odoo_user-enum
24description: "Detect odoo user enum"
25filter: evt.Meta.log_type == 'odoo_failed_auth'
26groupby: evt.Meta.source_ip
27distinct: evt.Meta.user
28leakspeed: 10s
29capacity: 5
30blackhole: 1m
31labels:
32  remediation: true
33  confidence: 3
34  spoofable: 0
35  classification:
36    - attack.T1110
37  behavior: "http:bruteforce"
38  label: "Odoo Bruteforce"
39  service: odoo
40

Hub configuration

« odoo-bf_user-enum »v0.2 by crowdsecurityAttack scenarioremediation:trueservice:odoospoofable:0MITRE:T1110confidence:3

« odoo-bf_user-enum »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:odoospoofable:0MITRE:T1110confidence:3