Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

L7 DoS tools detection #848

Merged
merged 26 commits into from
Oct 10, 2023
Merged

L7 DoS tools detection #848

merged 26 commits into from
Oct 10, 2023

Conversation

buixor
Copy link
Contributor

@buixor buixor commented Oct 10, 2023
edited
Loading

Add a collection and associated scenarios to detect some well-known basic HTTP Dos tools seen recently. You know what I mean.

@github-actions
Copy link

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following scenarios have errors:

crowdsecurity/http-dos-swithcing-ua:

  • attack not found in labels.classification
  • spoofable key not found in labels
  • confidence key not found in labels
  • Unknown behaviors: :scan

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

  • T1110 for bruteforce attacks
  • T1595 and T1190 for exploitation of public vulnerabilities
  • T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

@github-actions
Copy link

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following scenarios have errors:

crowdsecurity/http-dos-invalid-http-versions:

  • attack not found in labels.classification
  • spoofable key not found in labels
  • confidence key not found in labels
  • Unknown behaviors: :scan

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

  • T1110 for bruteforce attacks
  • T1595 and T1190 for exploitation of public vulnerabilities
  • T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

@github-actions
Copy link

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following scenarios have errors:

crowdsecurity/http-dos-bypass-cache:

  • Unknown behaviors: http:dos

crowdsecurity/http-dos-invalid-http-versions:

  • Unknown behaviors: http:dos

crowdsecurity/http-dos-swithcing-ua:

  • Unknown behaviors: http:dos

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

  • T1110 for bruteforce attacks
  • T1595 and T1190 for exploitation of public vulnerabilities
  • T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

@github-actions
Copy link

Hello @buixor,

Scenarios are compliant with the taxonomy, thank you for your contribution!

@github-actions
Copy link

Hello @buixor,

Scenarios are compliant with the taxonomy, thank you for your contribution!

LaurenceJJones
LaurenceJJones approved these changes Oct 10, 2023
View reviewed changes
Copy link
Contributor

@LaurenceJJones LaurenceJJones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions
Copy link

Hello @buixor,

Scenarios are compliant with the taxonomy, thank you for your contribution!

@github-actions
Copy link

Hello @buixor,

Scenarios are compliant with the taxonomy, thank you for your contribution!

@buixor buixor merged commit 94d12e5 into master Oct 10, 2023
@buixor buixor deleted the dos_l7_tools branch October 10, 2023 14:55
@LaurenceJJones LaurenceJJones mentioned this pull request Oct 28, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LaurenceJJones LaurenceJJones LaurenceJJones approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@buixor @LaurenceJJones @AlteredCoder @actions-user