Dryusdan customs config

2024-04-23 18:30:18 +02:00 · 2024-04-23 18:30:18 +02:00 · 443ba7e23a
parent e29c673034
commit 443ba7e23a
2 changed files with 30 additions and 0 deletions
--- a/files/customs/scenarios/dryusdan-ssh-bf.yml
+++ b/files/customs/scenarios/dryusdan-ssh-bf.yml
@ -0,0 +1,18 @@
+---
+type: trigger
+name: Dryusdan/ssh-bf
+description: "Detect ssh bruteforce"
+filter: "evt.Meta.log_type == 'ssh_failed-auth'"
+references:
+  - http://wikipedia.com/ssh-bf-is-bad
+groupby: evt.Meta.source_ip
+reprocess: true
+labels:
+  service: ssh
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  label: "SSH Bruteforce"
+  behavior: "ssh:bruteforce"
+  remediation: true
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@ -111,3 +111,15 @@
  tags:
    - configure

+- name: "Add Dryusdan's configuration"
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: '0640'
+  loop:
+    - { 'src': 'customs/scnearios/dryusdan-ssh-bf.yml', 'dest':'/etc/crowdsec/scenarios/dryusdan-ssh-bf.yaml' }
+  notify: crowdsec-reload
+  tags:
+    - configure