wireguard-auth Scenario

« wireguard-auth »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:wireguardspoofable:0MITRE:T1110confidence:3

Detects rejected connections attempts and unauthorized packets through wireguard tunnels

Installation

cscli scenarios install crowdsecurity/wireguard-auth

Description

Detects bruteforce attempts against a wireguard server. It will parse the wireguard log file and count the number of failed login attempts per IP address. If the number of failed login attempts exceeds the threshold, the IP address will trigger an alert.

YAML Configuration

1type: leaky
2name: crowdsecurity/wireguard-auth
3description: "Detects rejected connections attempts and unauthorized packets through wireguard tunnels"
4filter: "evt.Meta.log_type == 'wireguard_failed_auth'"
5groupby: evt.Meta.source_ip
6leakspeed: "30s"
7capacity: 3
8blackhole: 1m
9labels:
10  remediation: true
11  service: wireguard
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1110
16  label: "Wireguard Bruteforce"
17  behavior: "generic:bruteforce"
18

Hub configuration

« wireguard-auth »v0.2 by crowdsecurityAttack scenarioremediation:trueservice:wireguardspoofable:0MITRE:T1110confidence:3

« wireguard-auth »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:wireguardspoofable:0MITRE:T1110confidence:3