|
1
|
"filter": {"$and": [{"Category" : "Attempt.Login"}, {"Description": {"$eq": "BlockList.de: IP reported as having run attacks on Joomlas, Wordpress and other Web-Logins with Brute-Force Logins"}}, {"Description": {"$eq": "Web form authentication attack"}}]}
|
|
2
|
!!! 'Attempt.Login:Test_+++_External:Relay_+++_*__+++_BlockList_x_IP_reported_as_having_run_attacks_on_Joomlas,_Wordpress_and_other_Web-Logins_with_Brute-Force_Logins': 6395,
|
|
3
|
!!! 'Attempt.Login:Test_+++_Relay_+++_*__+++_Web_form_authentication_attack': 29,
|
|
4
|
LABEL_CZ: Pokus o útok proti webovému serveru
|
|
5
|
LABEL_EN: Web form authentication attack
|
|
6
|
SEVERITY: 2 (Za středně nebezpečné považujeme (útoky na SSH a RDP))
|
|
7
|
URL: https://csirt.cesnet.cz/cs/services
|
|
8
|
|
|
9
|
### Nic hmatatelneho, nejlepe "Target.Proto": "http"
|
|
10
|
'Category': ['Attempt.Login', 'Test'],
|
|
11
|
'Confidence': 1,
|
|
12
|
'Description': 'BlockList.de: IP reported as having run attacks on '
|
|
13
|
'Joomlas, Wordpress and other Web-Logins with Brute-Force '
|
|
14
|
'Logins',
|
|
15
|
'DetectTime': b'\xdb4-\xc1\x00\x00\x00\x00',
|
|
16
|
'Format': 'IDEA0',
|
|
17
|
'ID': '69412746-46da-4446-97ea-f64bf93eff39',
|
|
18
|
'Node': [ {'Name': 'cz.cesnet.mentat.warden_filer', 'Type': ['Relay']},
|
|
19
|
{ 'AggrWin': '00:05:00',
|
|
20
|
'Name': 'cz.cesnet.supplier.intelmq',
|
|
21
|
'SW': ['IntelMQ'],
|
|
22
|
'Type': ['Relay', 'External']}],
|
|
23
|
'Source': [ { 'IP4': [ { 'ip': b'[\xc8\x0cN',
|
|
24
|
'max': b'[\xc8\x0cN',
|
|
25
|
'min': b'[\xc8\x0cN'}]}],
|
|
26
|
'_CESNET': {'StorageTime': 1468641099},
|
|
27
|
'_id': '69412746-46da-4446-97ea-f64bf93eff39',
|
|
28
|
|
|
29
|
### Podobne... nejlepe doplnit: "Target.Proto": "http"
|
|
30
|
"Category": [
|
|
31
|
"Attempt.Login",
|
|
32
|
"Test"
|
|
33
|
],
|
|
34
|
"Description": "Web form authentication attack",
|
|
35
|
"DetectTime": "2016-06-12 13:45:00Z",
|
|
36
|
"EventTime": "2016-06-12 13:44:14Z",
|
|
37
|
"Format": "IDEA0",
|
|
38
|
"ID": "b8d4cfe7-c240-4636-8ed3-7950e2dbf527",
|
|
39
|
"Node": [
|
|
40
|
{
|
|
41
|
"Name": "cz.cesnet.mentat.warden_filer",
|
|
42
|
"Type": [
|
|
43
|
"Relay"
|
|
44
|
]
|
|
45
|
},
|
|
46
|
{
|
|
47
|
"Name": "org.liberouter.collector_invea.flowmonads",
|
|
48
|
"Type": [
|
|
49
|
"Relay"
|
|
50
|
]
|
|
51
|
}
|
|
52
|
],
|
|
53
|
"Target": [
|
|
54
|
{
|
|
55
|
"IP4": [
|
|
56
|
"95.67.12.67"
|
|
57
|
],
|
|
58
|
"Port": [
|
|
59
|
80
|
|
60
|
],
|
|
61
|
"Proto": [
|
|
62
|
"TCP"
|
|
63
|
]
|
|
64
|
}
|
|
65
|
],
|
|
66
|
|
|
67
|
# -----------------------
|
|
68
|
|
|
69
|
TEST: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Port" : 3389}, {"Description": {"$ne": "Multiple unsuccessful login attempts on MS-WBT-SERVER"}}, {"Description": {"$ne": "RDP attack"}}]}
|
|
70
|
FILTER: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Port" : 3389}]}
|
|
71
|
OK !!! 'Attempt.Login:Test_+++_Flow:Statistical_+++_*__+++_Multiple_unsuccessful_login_attempts_on_MS-WBT-SERVER': 186332,
|
|
72
|
OK !!! 'Attempt.Login:Test_+++_Relay_+++_*__+++_RDP_attack': 31,
|
|
73
|
LABEL_CZ: Pokus o neoprávněné připojení k RDP serveru
|
|
74
|
LABEL_EN: Unauthorized attempts to connect to the RDP server
|
|
75
|
SEVERITY: 2 (Za středně nebezpečné považujeme (útoky na SSH a RDP))
|
|
76
|
URL: https://csirt.cesnet.cz/cs/services
|
|
77
|
|
|
78
|
TEST: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Proto" : "telnet"}, {"Description": {"$ne": "Multiple unsuccessful login attempts on TELNET"}}]}
|
|
79
|
FILTER: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Proto" : "telnet"}]}
|
|
80
|
!!! 'Attempt.Login:Test_+++_Flow:Statistical_+++_*__+++_Multiple_unsuccessful_login_attempts_on_TELNET': 509505,
|
|
81
|
LABEL_CZ: Pokus o neoprávněné připojení k TELNET serveru
|
|
82
|
LABEL_EN: Unauthorized attempts to connect to the TELNET server
|
|
83
|
SEVERITY: 2 (Za středně nebezpečné považujeme (útoky na SSH a RDP))
|
|
84
|
URL: https://csirt.cesnet.cz/cs/services
|
|
85
|
|
|
86
|
TEST: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Proto" : {"$ne": "ssh"}}, {"Source.Proto" : "ssh"}, {"Description": {"$ne": "Bruteforce"}}]}
|
|
87
|
FILTER: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Proto" : {"$ne": "ssh"}}, {"Source.Proto" : "ssh"}]}
|
|
88
|
OK !!! 'Attempt.Login_+++_External_+++_*__+++_Bruteforce': 161,
|
|
89
|
LABEL_CZ: Pokus o neoprávněné připojení k SSH serveru
|
|
90
|
LABEL_EN: Unauthorized attempts to connect to the SSH server
|
|
91
|
SEVERITY: 2 (Za středně nebezpečné považujeme (útoky na SSH a RDP))
|
|
92
|
URL: https://csirt.cesnet.cz/cs/services
|
|
93
|
|
|
94
|
TEST: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Proto" : "ssh"}, {"Description": {"$ne": "Multiple unsuccessful login attempts on SSH"}}, {"Description": {"$ne": "SSH dictionary/bruteforce attack"}}, {"Note": {"$ne": "SSH login attempt"}}, {"Description": {"$ne": "SSH attack"}}]}
|
|
95
|
FILTER: "filter": {"$and": [{"Category" : "Attempt.Login"}, {"Target.Proto" : "ssh"}]}
|
|
96
|
OK !!! 'Attempt.Login_+++_*__+++_*__+++_*': 29, Ukazka spada (overeno!) pod SSH bruteforce... "Note: SSH login attempt"
|
|
97
|
OK !!! 'Attempt.Login_+++_Flow:Statistical_+++_*__+++_SSH_dictionary_bruteforce_attack': 189255,
|
|
98
|
OK !!! 'Attempt.Login:Test_+++_Relay_+++_*__+++_SSH_attack': 44,
|
|
99
|
OK !!! 'Attempt.Login:Test_+++_Flow:Statistical_+++_*__+++_SSH_dictionary_bruteforce_attack': 35849,
|
|
100
|
OK !!! 'Attempt.Login:Test_+++_Flow:Statistical_+++_*__+++_Multiple_unsuccessful_login_attempts_on_SSH': 474101,
|
|
101
|
LABEL_CZ: Pokus o neoprávněné připojení k SSH serveru
|
|
102
|
LABEL_EN: Unauthorized attempts to connect to the SSH server
|
|
103
|
SEVERITY: 2 (Za středně nebezpečné považujeme (útoky na SSH a RDP))
|
|
104
|
URL: https://csirt.cesnet.cz/cs/services
|
|
105
|
|