1# for max (1) priority : kill on sight
2type: trigger
3name: crowdsecurity/suricata-major-severity
4description: "Detect exploit attempts via emerging threat rules"
5filter: "evt.Meta.log_type == 'suricata_alert' && evt.Parsed.proto == 'TCP' && evt.Meta.suricata_rule_severity == '1'"
6groupby: evt.Meta.source_ip
7blackhole: 1m
8reprocess: true
9labels:
10  service: suricata
11  remediation: true
12  confidence: 1
13  spoofable: 3
14  classification:
15    - attack.T1190
16    - attack.T1595
17  behavior: "generic:exploit"
18  label: "Suricata Severity 1 Event"
19
20---
21# for lower (2) priority : wait for >=3 different signatures being triggered
22# we intentionally avoid scenarios on priority 3 and such that are too sensitive to false positives
23type: leaky
24capacity: 2
25leakspeed: 20s
26distinct: evt.Meta.suricata_alert_signature_id
27name: crowdsecurity/suricata-high-medium-severity
28description: "Detect exploit attempts via emerging threat rules"
29filter: "evt.Meta.log_type == 'suricata_alert' && evt.Parsed.proto == 'TCP' && evt.Meta.suricata_rule_severity == '2'"
30groupby: evt.Meta.source_ip
31blackhole: 1m
32reprocess: true
33labels:
34  service: suricata
35  confidence: 1
36  spoofable: 3
37  classification:
38    - attack.T1190
39    - attack.T1595
40  behavior: "generic:exploit"
41  label: "Suricata Severity 2 Event"
42