Dryusdan customs config
This commit is contained in:
parent
e29c673034
commit
443ba7e23a
18
files/customs/scenarios/dryusdan-ssh-bf.yml
Normal file
18
files/customs/scenarios/dryusdan-ssh-bf.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
type: trigger
|
||||
name: Dryusdan/ssh-bf
|
||||
description: "Detect ssh bruteforce"
|
||||
filter: "evt.Meta.log_type == 'ssh_failed-auth'"
|
||||
references:
|
||||
- http://wikipedia.com/ssh-bf-is-bad
|
||||
groupby: evt.Meta.source_ip
|
||||
reprocess: true
|
||||
labels:
|
||||
service: ssh
|
||||
confidence: 3
|
||||
spoofable: 0
|
||||
classification:
|
||||
- attack.T1110
|
||||
label: "SSH Bruteforce"
|
||||
behavior: "ssh:bruteforce"
|
||||
remediation: true
|
|
@ -111,3 +111,15 @@
|
|||
tags:
|
||||
- configure
|
||||
|
||||
- name: "Add Dryusdan's configuration"
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0640'
|
||||
loop:
|
||||
- { 'src': 'customs/scnearios/dryusdan-ssh-bf.yml', 'dest':'/etc/crowdsec/scenarios/dryusdan-ssh-bf.yaml' }
|
||||
notify: crowdsec-reload
|
||||
tags:
|
||||
- configure
|
||||
|
|
Loading…
Reference in a new issue