zimbra-bf Scenario

« zimbra-bf »
v0.2 by firewallservices
Attack scenarioremediation:trueservice:zimbraspoofable:0MITRE:T1110confidence:3

Detect Zimbra bruteforce

Installation

cscli scenarios install firewallservices/zimbra-bf

Description

Detect various authentication failures on Zimbra

On the web login page
On the SMTP server (SMTPS and SUBMISSION)
On the IMAP server

This scenario uses two leaky buckets:

leakspeed of 30s, capacity of 5 (per client IP)
leakspeed of 2m, capacity of 5, on uniq target user (per client IP)

YAML Configuration

1# Zimbra brutforce
2type: leaky
3#debug: true
4name: firewallservices/zimbra-bf
5description: "Detect Zimbra bruteforce"
6filter: evt.Meta.log_type == 'zimbra_auth_fail'
7leakspeed: 30s
8capacity: 5
9groupby: evt.Meta.source_ip
10blackhole: 1m
11reprocess: true
12labels:
13  service: zimbra
14  confidence: 3
15  spoofable: 0
16  classification:
17    - attack.T1110
18  behavior: "pop3/imap:bruteforce"
19  label: "Zimbra Bruteforce"
20  remediation: true
21---
22# Zimbra user enumeration
23type: leaky
24#debug: true
25name: firewallservices/zimbra-user-enum
26description: "Detect Zimbra user enum bruteforce"
27filter: evt.Meta.log_type == 'zimbra_auth_fail'
28groupby: evt.Meta.source_ip
29distinct: evt.Meta.user
30leakspeed: 2m
31capacity: 5
32blackhole: 1m
33labels:
34  service: zimbra
35  confidence: 3
36  spoofable: 0
37  classification:
38    - attack.T1589.002
39    - attack.T1110
40  behavior: "pop3/imap:bruteforce"
41  label: "Zimbra Bruteforce"
42  remediation: true
43

Hub configuration

« zimbra-bf »v0.2 by firewallservicesAttack scenarioremediation:trueservice:zimbraspoofable:0MITRE:T1110confidence:3

« zimbra-bf »
v0.2 by firewallservices
Attack scenarioremediation:trueservice:zimbraspoofable:0MITRE:T1110confidence:3