Update scenarios label (crowdsecurity#963)

LePresidente · Feb 9, 2024 · 7da0283 · 7da0283
1 parent d05e7cd
commit 7da0283
Show file tree

Hide file tree

Showing 35 changed files with 407 additions and 220 deletions.
diff --git a/.index.json b/.index.json
diff --git a/scenarios/LePresidente/overseerr-bf.yaml b/scenarios/LePresidente/overseerr-bf.yaml
@@ -15,7 +15,7 @@ labels:
   confidence: 3
   classification:
     - attack.T1110
-  label: "overseerr Bruteforce"
+  label: "Overseerr Bruteforce"
   remediation: true
 ---
 # overseerr user-enum
@@ -36,5 +36,5 @@ labels:
   classification:
     - attack.T1589
     - attack.T1110
-  label: "overseerr User Enumeration"
+  label: "Overseerr User Enumeration"
   remediation: true
diff --git a/scenarios/a1ad/mikrotik-scan-multi_ports.yaml b/scenarios/a1ad/mikrotik-scan-multi_ports.yaml
@@ -1,6 +1,6 @@
 type: leaky
 name: a1ad/mikrotik-scan-multi_ports
-description: "ban IPs that are scanning us"
+description: "Detect port scanning from single ip on MikroTik router"
 filter: "evt.Meta.log_type == 'mikrotik_drop' && evt.Meta.service == 'tcp_udp'"
 groupby: evt.Meta.source_ip
 distinct: evt.Parsed.dst_port
@@ -16,5 +16,5 @@ labels:
     - attack.T1046
   spoofable: 2
   confidence: 1
-  label: "Mikrotik Port Scanning"
+  label: "MikroTik Port Scanning"
   remediation: true
diff --git a/scenarios/aidalinfo/couchdb-crawl.yaml b/scenarios/aidalinfo/couchdb-crawl.yaml
@@ -1,6 +1,6 @@
 type: leaky
 name: aidalinfo/couchdb-crawl
-description: "Detect crawl from single ip"
+description: "Detect aggressive crawl on CouchDB"
 filter: evt.Meta.log_type == 'crawl-couchdb'
 distinct: evt.Meta.path_db
 leakspeed: 0.5s
@@ -14,5 +14,8 @@ labels:
   service: couchdb
   confidence: 1
   spoofable: 0
-  label: "detection of aggressive crawl on couchdb"
+  classification:
+    - attack.T1595
+  behavior: "http:crawl"
+  label: "CouchDB Crawl"
   remediation: true
diff --git a/scenarios/crowdsecurity/CVE-2023-49103.yaml b/scenarios/crowdsecurity/CVE-2023-49103.yaml
@@ -16,5 +16,5 @@ labels:
   spoofable: 1
   confidence: 2
   behavior: "http:exploit"
-  label: "owncloud CVE-2023-49103"
+  label: "ownCloud CVE-2023-49103"
   service: owncloud
diff --git a/scenarios/crowdsecurity/appsec-vpatch.yaml b/scenarios/crowdsecurity/appsec-vpatch.yaml
@@ -1,7 +1,7 @@
 type: leaky
 format: 3.0
 name: crowdsecurity/appsec-vpatch
-description: "Detect appsec attacks"
+description: "Identify attacks flagged by CrowdSec AppSec"
 filter: "evt.Meta.log_type == 'appsec-block'"
 distinct: evt.Meta.rule_name
 leakspeed: "60s"
@@ -14,6 +14,6 @@ labels:
   spoofable: 0
   classification:
     - attack.T1110
-  label: "appsec blocked"
+  label: "Blocked by CrowdSec AppSec"
   behavior: "http:exploit"
   remediation: true
diff --git a/scenarios/crowdsecurity/asterisk_bf.yaml b/scenarios/crowdsecurity/asterisk_bf.yaml
@@ -1,6 +1,6 @@
 type: leaky
 name: crowdsecurity/asterisk_bf
-description: "Detect asterisk user bruteforce"
+description: "Detect Asterisk user bruteforce"
 filter: evt.Meta.log_type == 'asterisk_failed_auth'
 groupby: evt.Meta.source_ip
 leakspeed: 10s
@@ -13,5 +13,5 @@ labels:
   classification:
     - attack.T1110
   behavior: "sip:bruteforce"
-  label: "Asterisk bruteforce"
+  label: "Asterisk Bruteforce"
   remediation: true
diff --git a/scenarios/crowdsecurity/asterisk_user_enum.yaml b/scenarios/crowdsecurity/asterisk_user_enum.yaml
@@ -1,6 +1,6 @@
 type: leaky
 name: crowdsecurity/asterisk_user_enum
-description: "Detect asterisk user enum bruteforce"
+description: "Detect Asterisk user enumeration bruteforce"
 filter: evt.Meta.log_type == 'asterisk_failed_auth'
 groupby: evt.Meta.source_ip
 distinct: evt.Meta.target_user

diff --git a/scenarios/crowdsecurity/cpanel-bf-attempt.yaml b/scenarios/crowdsecurity/cpanel-bf-attempt.yaml
@@ -10,6 +10,6 @@ labels:
   classification:
    - attack.T1110
   behavior: "http:bruteforce"
-  label: "cpanel bruteforce"
+  label: "cPanel Bruteforce"
   service: cpanel
   remediation: true
diff --git a/scenarios/crowdsecurity/cpanel-bf.yaml b/scenarios/crowdsecurity/cpanel-bf.yaml
@@ -12,7 +12,7 @@ labels:
   classification:
    - attack.T1110
   behavior: "http:bruteforce"
-  label: "cpanel bruteforce"
+  label: "cPanel Bruteforce"
   service: cpanel
   remediation: true
 
diff --git a/scenarios/crowdsecurity/crowdsec-appsec-inband.yaml b/scenarios/crowdsecurity/crowdsec-appsec-inband.yaml
@@ -2,7 +2,7 @@ type: leaky
 filter: evt.Parsed.program == 'crowdsec-appsec' && evt.Appsec.HasInBandMatches == true && evt.Parsed.action in ["deny", "drop"]
 #debug: true
 name: crowdsecurity/crowdsec-appsec-inband
-description: IP has triggered multiples In Band CrowdSec appsec rules
+description: IP has triggered multiples InBand CrowdSec appsec rules
 blackhole: 1m
 leakspeed: 30s
 capacity: 1
@@ -14,6 +14,6 @@ labels:
   classification:
    - attack.T1190
   behavior: "http:exploit"
-  label: "Triggered multiple inband CrowdSec appsec rules"
+  label: "Triggered multiple InBand CrowdSec AppSec rules"
   service: http
   remediation: true
diff --git a/scenarios/crowdsecurity/dovecot-spam.yaml b/scenarios/crowdsecurity/dovecot-spam.yaml
@@ -14,6 +14,6 @@ labels:
   classification:
     - attack.T1110
   behavior: "pop3/imap:bruteforce"
-  label: "dovecot bruteforce"
+  label: "Dovecot Bruteforce"
   service: dovecot
   remediation: true
diff --git a/scenarios/crowdsecurity/endlessh-bf.yaml b/scenarios/crowdsecurity/endlessh-bf.yaml
@@ -16,6 +16,6 @@ labels:
   classification:
     - attack.T1110
   behavior: "ssh:bruteforce"
-  label: "endlessh bruteforce"
+  label: "Endlessh Bruteforce"
   service: endlessh
   remediation: true
diff --git a/scenarios/crowdsecurity/exchange-bf.yaml b/scenarios/crowdsecurity/exchange-bf.yaml
@@ -1,6 +1,6 @@
 type: leaky
 name: crowdsecurity/exchange-bf
-description: "Detect exchange bruteforce (SMTP,IMAP,POP3)"
+description: "Detect Exchange bruteforce (SMTP,IMAP,POP3)"
 filter: evt.Meta.service == 'exchange' && evt.Meta.sub_type == 'auth_fail'
 groupby: evt.Meta.source_ip
 leakspeed: 10s
@@ -12,6 +12,6 @@ labels:
   classification:
     - attack.T1110
   behavior: "pop3/imap:bruteforce"
-  label: "exchange bruteforce"
+  label: "Microsoft Exchange Bruteforce"
   remediation: true
   service: exchange
diff --git a/scenarios/crowdsecurity/exim-bf.yaml b/scenarios/crowdsecurity/exim-bf.yaml
@@ -13,7 +13,7 @@ labels:
   classification:
     - attack.T1110
   behavior: "pop3/imap:bruteforce"
-  label: "Exim bruteforce"
+  label: "Exim Bruteforce"
   remediation: true
   service: smtp
 ---
@@ -33,6 +33,6 @@ labels:
   classification:
     - attack.T1110
   behavior: "pop3/imap:bruteforce"
-  label: "Exim bruteforce"
+  label: "Exim Bruteforce"
   remediation: true
   service: smtp
diff --git a/scenarios/crowdsecurity/exim-spam.yaml b/scenarios/crowdsecurity/exim-spam.yaml
@@ -1,6 +1,6 @@
 type: leaky
 name: crowdsecurity/exim-spam
-description: "detect spam on Exim"
+description: "Detect spam on Exim"
 #debug: true
 filter: "evt.Meta.log_type == 'spam-attempt' && evt.Meta.service == 'exim'"
 groupby: evt.Meta.source_ip
@@ -11,6 +11,6 @@ labels:
   confidence: 3
   spoofable: 0
   behavior: "smtp:spam"
-  label: "Exim spam attempt"
+  label: "Exim Spam"
   remediation: true
   service: smtp
diff --git a/scenarios/crowdsecurity/freeswitch-bf.yaml b/scenarios/crowdsecurity/freeswitch-bf.yaml
@@ -14,7 +14,7 @@ labels:
   classification:
     - attack.T1110
   behavior: "generic:bruteforce"
-  label: "freeswitch bruteforce"
+  label: "Freeswitch Bruteforce"
   remediation: true
 
 ---
@@ -33,5 +33,5 @@ labels:
   classification:
     - attack.T1110
   behavior: "generic:bruteforce"
-  label: "freeswitch bruteforce"
+  label: "Freeswitch Bruteforce"
   remediation: true
diff --git a/scenarios/crowdsecurity/freeswitch-user-enumeration.yaml b/scenarios/crowdsecurity/freeswitch-user-enumeration.yaml
@@ -14,7 +14,7 @@ labels:
   classification:
     - attack.T1589
   behavior: "generic:bruteforce"
-  label: "Freeswitch user enumeration"
+  label: "Freeswitch User Enumeration"
   remediation: true
 ---
 type: leaky
@@ -32,5 +32,5 @@ labels:
   classification:
     - attack.T1589
   behavior: "generic:bruteforce"
-  label: "Freeswitch user enumeration"
+  label: "Freeswitch User Enumeration"
   remediation: true
diff --git a/scenarios/crowdsecurity/home-assistant-bf.yaml b/scenarios/crowdsecurity/home-assistant-bf.yaml
@@ -14,6 +14,6 @@ labels:
   classification:
     - attack.T1110
   behavior: "iot:bruteforce"
-  label: "home assistant bruteforce"
+  label: "Home Assistant Bruteforce"
   service: home-assistant
   remediation: true
diff --git a/scenarios/crowdsecurity/http-admin-interface-probing.yaml b/scenarios/crowdsecurity/http-admin-interface-probing.yaml
@@ -1,7 +1,7 @@
 type: leaky
 #debug: true
 name: crowdsecurity/http-admin-interface-probing
-description: "Detect generic http interface probing"
+description: "Detect generic HTTP admin interface probing"
 filter: |
   evt.Meta.service == 'http' and 
   evt.Meta.log_type in ['http_access-log', 'http_error-log'] and 
@@ -22,6 +22,6 @@ labels:
   classification:
     - attack.T1595
   behavior: "http:scan"
-  label: "http admin interface probing"
+  label: "HTTP Admin Interface Probing"
   service: http
   remediation: true
diff --git a/scenarios/crowdsecurity/http-backdoors-attempts.yaml b/scenarios/crowdsecurity/http-backdoors-attempts.yaml
@@ -18,6 +18,6 @@ labels:
   classification:
     - attack.T1595
   behavior: "http:exploit"
-  label: "scanning for backdoors"
+  label: "Scanning for backdoors"
   service: http
   remediation: true
diff --git a/scenarios/crowdsecurity/http-bad-user-agent.yaml b/scenarios/crowdsecurity/http-bad-user-agent.yaml
@@ -2,7 +2,7 @@ type: leaky
 format: 2.0
 #debug: true
 name: crowdsecurity/http-bad-user-agent
-description: "Detect bad user-agents"
+description: "Detect usage of bad User Agent"
 filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] && RegexpInFile(evt.Parsed.http_user_agent, "bad_user_agents.regex.txt")'
 data:
   - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/bad_user_agents.regex.txt
@@ -21,6 +21,6 @@ labels:
   classification:
     - attack.T1595
   behavior: "http:scan"
-  label: "detection of bad user-agents"
+  label: "Bad User Agent"
   service: http
   remediation: true
diff --git a/scenarios/crowdsecurity/http-bf-wordpress_bf.yaml b/scenarios/crowdsecurity/http-bf-wordpress_bf.yaml
@@ -1,6 +1,6 @@
 type: leaky
 name: crowdsecurity/http-bf-wordpress_bf
-description: "detect wordpress bruteforce"
+description: "Detect WordPress bruteforce on admin interface"
 debug: false
 # failed auth on wp-login.php returns 200
 filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'wp-login.php' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '200'"
@@ -14,6 +14,6 @@ labels:
   classification:
     - attack.T1110
   behavior: "http:bruteforce"
-  label: "WP bruteforce"
+  label: "WordPress Bruteforce"
   service: wordpress
   remediation: true
diff --git a/scenarios/crowdsecurity/http-crawl-non_statics.yaml b/scenarios/crowdsecurity/http-crawl-non_statics.yaml
@@ -1,6 +1,6 @@
 type: leaky
 name: crowdsecurity/http-crawl-non_statics
-description: "Detect aggressive crawl from single ip"
+description: "Detect aggressive crawl on non static resources"
 filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && evt.Parsed.static_ressource == 'false' && evt.Parsed.verb in ['GET', 'HEAD']"
 distinct: "evt.Parsed.file_name"
 leakspeed: 0.5s
@@ -17,5 +17,5 @@ labels:
     - attack.T1595
   behavior: "http:crawl"
   service: http
-  label: "detection of aggressive crawl"
+  label: "Aggressive Crawl"
   remediation: true
diff --git a/scenarios/crowdsecurity/http-dos-bypass-cache.yaml b/scenarios/crowdsecurity/http-dos-bypass-cache.yaml
@@ -18,4 +18,4 @@ labels:
   classification:
     - attack.T1498
   behavior: "http:dos"
-  label: "detection of http dos with cache bypass"
+  label: "HTTP DOS with cache bypass"
diff --git a/scenarios/crowdsecurity/http-dos-invalid-http-versions.yaml b/scenarios/crowdsecurity/http-dos-invalid-http-versions.yaml
@@ -15,4 +15,4 @@ labels:
   classification:
     - attack.T1498
   behavior: "http:dos"
-  label: "detection of http dos with invalid http version"
+  label: "HTTP DOS with invalid HTTP version"
diff --git a/scenarios/crowdsecurity/http-dos-random-uri.yaml b/scenarios/crowdsecurity/http-dos-random-uri.yaml
@@ -21,6 +21,6 @@ labels:
   classification:
     - attack.T1498
   behavior: "http:dos"
-  label: "detection of http dos via random uri"
+  label: "HTTP DOS via random URI"
   service: http
   remediation: true
diff --git a/scenarios/crowdsecurity/http-dos-switching-ua.yaml b/scenarios/crowdsecurity/http-dos-switching-ua.yaml
@@ -18,4 +18,4 @@ labels:
   classification:
     - attack.T1498
   behavior: "http:dos"
-  label: "detection of http dos with varying UA"
+  label: "HTTP DOS with varying UA"
diff --git a/scenarios/crowdsecurity/http-generic-bf.yaml b/scenarios/crowdsecurity/http-generic-bf.yaml
@@ -14,7 +14,7 @@ labels:
   classification:
     - attack.T1110
   behavior: "http:bruteforce"
-  label: "http bruteforce"
+  label: "HTTP Bruteforce"
   service: http
   remediation: true
 ---
@@ -34,7 +34,7 @@ labels:
   classification:
     - attack.T1110
   behavior: "http:bruteforce"
-  label: "http bruteforce"
+  label: "HTTP Bruteforce"
   service: http
   remediation: true
 ---
@@ -54,6 +54,6 @@ labels:
   classification:
     - attack.T1110
   behavior: "http:bruteforce"
-  label: "http bruteforce"
+  label: "HTTP Bruteforce"
   service: http
   remediation: true
diff --git a/scenarios/crowdsecurity/http-magento-bf.yaml b/scenarios/crowdsecurity/http-magento-bf.yaml
@@ -1,7 +1,7 @@
 type: leaky
 name: crowdsecurity/http-magento-bf
 debug: false
-description: "detect Magento bruteforce"
+description: "Detect bruteforce on Magento admin interface"
 filter: "evt.Meta.log_type == 'ADMIN_LOGIN_FAILED'"
 groupby: evt.Meta.source_ip
 capacity: 5
@@ -14,5 +14,5 @@ labels:
   classification:
     - attack.T1110
   behavior: "http:bruteforce"
-  label: "http bruteforce"
+  label: "Magento Bruteforce"
   remediation: true
diff --git a/scenarios/crowdsecurity/http-wordpress_user-enum.yaml b/scenarios/crowdsecurity/http-wordpress_user-enum.yaml
@@ -1,6 +1,6 @@
 type: leaky
 name: crowdsecurity/http-wordpress_user-enum
-description: "detect wordpress probing : authors enumeration"
+description: "Detect WordPress probing: authors enumeration"
 debug: false
 filter: "evt.Meta.log_type == 'http_access-log' && Upper(evt.Parsed.http_args) contains 'AUTHOR='"
 groupby: evt.Meta.source_ip
@@ -15,7 +15,7 @@ labels:
     - attack.T1110
     - attack.T1595
   behavior: "http:scan"
-  label: "Wordpress User Enumeration"
+  label: "WordPress User Enumeration"
   spoofable: 0
   service: wordpress
   confidence: 3