Hub configuration

More info

sonarr-bf Scenario

« sonarr-bf »
v0.2 by schiz0phr3ne
Attack scenarioremediation:trueservice:sonarrspoofable:0MITRE:T1110confidence:3

Detect Sonarr bruteforce

Installation

cscli scenarios install schiz0phr3ne/sonarr-bf

Description

Detect failed Sonarr authentications:

leakspeed of 15s, capacity of 5 on source ip
leakspeed of 30s, capacity of 5 on source ip and unique distinct users

YAML Configuration

1# Sonarr bruteforce
2type: leaky
3name: schiz0phr3ne/sonarr-bf
4description: "Detect Sonarr bruteforce"
5filter: "evt.Meta.log_type in ['sonarr_failed_authentication']"
6leakspeed: "15s"
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 1m
10reprocess: true
11labels:
12  service: sonarr
13  confidence: 3
14  spoofable: 0
15  classification:
16    - attack.T1110
17  behavior: "http:bruteforce"
18  label: "Sonarr Bruteforce"
19  remediation: true
20---
21# Sonarr user enum bruteforce
22type: leaky
23name: schiz0phr3ne/sonarr-bf_user-enum
24description: "Detect Sonarr user enum bruteforce"
25filter: "evt.Meta.log_type in ['sonarr_failed_authentication']"
26leakspeed: "30s"
27capacity: 5
28groupby: evt.Meta.source_ip
29distinct: evt.Meta.username
30blackhole: 1m
31reprocess: true
32labels:
33  service: sonarr
34  confidence: 3
35  spoofable: 0
36  classification:
37    - attack.T1589
38    - attack.T1110
39  behavior: "http:bruteforce"
40  label: "Sonarr User Enumeration"
41  remediation: true
42

Hub configuration

« sonarr-bf »v0.2 by schiz0phr3neAttack scenarioremediation:trueservice:sonarrspoofable:0MITRE:T1110confidence:3

« sonarr-bf »
v0.2 by schiz0phr3ne
Attack scenarioremediation:trueservice:sonarrspoofable:0MITRE:T1110confidence:3