CyberMind-FR
3e52444a73
- Add secubox-app-crowdsec-custom package with: - HTTP auth bruteforce detection - Path scanning detection - LuCI/uhttpd auth monitoring - Trusted IP whitelist for private networks - Fix Lyrion Docker image path to ghcr.io/lms-community/lyrionmusicserver:stable Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
40 lines
1.1 KiB
YAML
40 lines
1.1 KiB
YAML
# CrowdSec scenario for SecuBox HTTP authentication bruteforce
|
|
# Detects repeated 401/403 errors indicating auth failures
|
|
|
|
type: leaky
|
|
name: secubox/http-auth-bruteforce
|
|
description: "Detect HTTP authentication bruteforce on SecuBox web interface"
|
|
filter: |
|
|
evt.Meta.http_status in ['401', '403'] &&
|
|
evt.Parsed.request contains '/cgi-bin/luci' ||
|
|
evt.Parsed.request contains '/secubox/' ||
|
|
evt.Parsed.request contains '/ubus'
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 5
|
|
leakspeed: 30s
|
|
blackhole: 5m
|
|
labels:
|
|
service: secubox
|
|
type: http_bruteforce
|
|
remediation: true
|
|
---
|
|
# Detect path scanning/enumeration
|
|
type: leaky
|
|
name: secubox/path-scanning
|
|
description: "Detect path scanning on SecuBox web interface"
|
|
filter: |
|
|
evt.Meta.http_status == '404' &&
|
|
(evt.Parsed.request contains '/secubox/' ||
|
|
evt.Parsed.request contains '/cgi-bin/' ||
|
|
evt.Parsed.request contains '/admin' ||
|
|
evt.Parsed.request contains '/wp-' ||
|
|
evt.Parsed.request contains '.php')
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 20
|
|
leakspeed: 10s
|
|
blackhole: 10m
|
|
labels:
|
|
service: secubox
|
|
type: path_scan
|
|
remediation: true
|