42 lines
897 B
YAML
42 lines
897 B
YAML
# ssh bruteforce
|
|
type: leaky
|
|
name: crowdsecurity/ssh-slow-bf
|
|
description: "Detect slow ssh bruteforce"
|
|
filter: "evt.Meta.log_type == 'ssh_failed-auth'"
|
|
leakspeed: "60s"
|
|
references:
|
|
- http://wikipedia.com/ssh-bf-is-bad
|
|
capacity: 10
|
|
groupby: evt.Meta.source_ip
|
|
blackhole: 1m
|
|
reprocess: true
|
|
labels:
|
|
service: ssh
|
|
remediation: true
|
|
confidence: 3
|
|
spoofable: 0
|
|
classification:
|
|
- attack.T1110
|
|
behavior: "ssh:bruteforce"
|
|
label: "SSH Bruteforce"
|
|
---
|
|
# ssh user-enum
|
|
type: leaky
|
|
name: crowdsecurity/ssh-slow-bf_user-enum
|
|
description: "Detect slow ssh user enum bruteforce"
|
|
filter: evt.Meta.log_type == 'ssh_failed-auth'
|
|
groupby: evt.Meta.source_ip
|
|
distinct: evt.Meta.target_user
|
|
leakspeed: 60s
|
|
capacity: 10
|
|
blackhole: 1m
|
|
labels:
|
|
service: ssh
|
|
remediation: true
|
|
confidence: 3
|
|
spoofable: 0
|
|
classification:
|
|
- attack.T1110
|
|
behavior: "ssh:bruteforce"
|
|
label: "SSH Bruteforce"
|