charon-ipsec-slow-bf Configuration

« charon-ipsec-slow-bf »
v0.1 by darkclip
Attack scenarioremediation:trueservice:charon_ipsecspoofable:0MITRE:T1110confidence:3

Detect Charon IPsec slow bruteforce

Installation

cscli scenarios install darkclip/charon-ipsec-slow-bf

Description

Detects slow bruteforce authentications for Charon IPsec server.

leakspeed of 60s, capacity of 10 on same source

YAML Configuration

1name: darkclip/charon-ipsec-bf
2#debug: true
3description: "Detect Charon IPsec slow bruteforce"
4filter: "evt.Meta.log_type == 'charon_ipsec_auth_fail'"
5type: leaky
6groupby: evt.Meta.source_ip
7leakspeed: "60s"
8capacity: 10
9blackhole: 1m
10labels:
11  service: charon_ipsec
12  behavior: "generic:bruteforce"
13  classification:
14    - attack.T1110
15  spoofable: 0
16  confidence: 3
17  label: "Charon IPsec Slow Bruteforce"
18  remediation: true
19

Hub configuration

« charon-ipsec-slow-bf »v0.1 by darkclipAttack scenarioremediation:trueservice:charon_ipsecspoofable:0MITRE:T1110confidence:3

« charon-ipsec-slow-bf »
v0.1 by darkclip
Attack scenarioremediation:trueservice:charon_ipsecspoofable:0MITRE:T1110confidence:3