sabnzbd-bf Scenario

« sabnzbd-bf »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:sabnzbdspoofable:0MITRE:T1110confidence:3

Detect sabnzbd bruteforce

Installation

cscli scenarios install crowdsecurity/sabnzbd-bf

Description

Detect failed sabnzbd authentications :

leakspeed of 10s, capacity of 3 for fast bruteforce
leakspeed of 60s, capacity of 10 for slow bruteforce

YAML Configuration

1# sabnzbd bruteforce
2type: leaky
3name: crowdsecurity/sabnzbd-bf
4description: "Detect sabnzbd bruteforce"
5filter: "evt.Meta.service == 'sabnzbd' && evt.Meta.log_type == 'sabnzbd_failed_auth'"
6leakspeed: "10s"
7capacity: 3
8groupby: evt.Meta.source_ip
9blackhole: 1m
10reprocess: true
11labels:
12  service: sabnzbd
13  confidence: 3
14  spoofable: 0
15  classification:
16    - attack.T1110
17  label: "Sabnzbd Bruteforce"
18  behavior: "generic:bruteforce"
19  remediation: true
20---
21# sabnzbd slow bruteforce
22type: leaky
23name: crowdsecurity/sabnzbd-slow-bf
24description: "Detect sabnzbd slow bruteforce"
25filter: "evt.Meta.service == 'sabnzbd' && evt.Meta.log_type == 'sabnzbd_failed_auth'"
26leakspeed: "60s"
27capacity: 10
28groupby: evt.Meta.source_ip
29blackhole: 1m
30reprocess: true
31labels:
32  service: sabnzbd
33  confidence: 3
34  spoofable: 0
35  classification:
36    - attack.T1110
37  label: "Sabnzbd Bruteforce"
38  behavior: "generic:bruteforce"
39  remediation: true

Hub configuration

« sabnzbd-bf »v0.1 by crowdsecurityAttack scenarioremediation:trueservice:sabnzbdspoofable:0MITRE:T1110confidence:3

« sabnzbd-bf »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:sabnzbdspoofable:0MITRE:T1110confidence:3