Hub configuration

More info

proftpd-bf Scenario

« proftpd-bf »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:proftpdspoofable:0MITRE:T1110confidence:3

Detect proftpd bruteforce

Installation

cscli scenarios install crowdsecurity/proftpd-bf

Description

Detect failed proftpd authentications :

leakspeed of 10s, capacity of 5 on same target user

YAML Configuration

1type: leaky
2name: crowdsecurity/proftpd-bf
3description: "Detect proftpd bruteforce"
4filter: "evt.Meta.log_type == 'ftp_failed_auth'"
5leakspeed: "10s"
6capacity: 5
7groupby: evt.Meta.source_ip
8blackhole: 1m
9reprocess: true
10labels:
11 service: proftpd
12 remediation: true
13 confidence: 3
14 spoofable: 0
15 classification:
16  - attack.T1110
17 behavior: "ftp:bruteforce"
18 label: "Proftpd Bruteforce"
19

Hub configuration

« proftpd-bf »v0.2 by crowdsecurityAttack scenarioremediation:trueservice:proftpdspoofable:0MITRE:T1110confidence:3

« proftpd-bf »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:proftpdspoofable:0MITRE:T1110confidence:3