ssh-cve-2024-6387 Scenario

« ssh-cve-2024-6387 »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:sshspoofable:0MITRE:T1190confidence:3

Detect exploitation attempt of CVE-2024-6387

Installation

cscli scenarios install crowdsecurity/ssh-cve-2024-6387

Description

Detect exploitation attempts of CVE-2024-6387

YAML Configuration

1# ssh bruteforce
2type: leaky
3name: crowdsecurity/ssh-cve-2024-6387
4description: "Detect exploitation attempt of CVE-2024-6387"
5filter: "evt.Meta.log_type in ['ssh_auth_timeout', 'ssh_dispatch_fatal']"
6leakspeed: "180s"
7capacity: 3
8groupby: evt.Meta.source_ip
9blackhole: 1m
10reprocess: true
11labels:
12  service: ssh
13  confidence: 3
14  spoofable: 0
15  classification:
16    - attack.T1190
17    - cve.CVE-2024-6387
18  label: "SSH CVE-2024-6387"
19  behavior: "ssh:exploit"
20  remediation: true
21

Hub configuration

« ssh-cve-2024-6387 »v0.2 by crowdsecurityAttack scenarioremediation:trueservice:sshCVE-2024-6387spoofable:0MITRE:T1190confidence:3

« ssh-cve-2024-6387 »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:sshspoofable:0MITRE:T1190confidence:3