Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cve-2024-6387: much faster leakspeed and higher capacity #1069

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

cve-2024-6387: much faster leakspeed and higher capacity #1069

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
28d14ed
cve-2024-6387: much faster leakspeed and higher capacity
blotus Jul 3, 2024
ef81875
Update index
actions-user Jul 3, 2024
0bb4ddc
Do not show in CTI for now
blotus Jul 3, 2024
3ee36b8
Update taxonomy
actions-user Jul 3, 2024
91ee544
Update index
actions-user Jul 3, 2024
8e727f2
support public: false in taxonomy
AlteredCoder Jul 3, 2024
52e809d
Update taxonomy
actions-user Jul 3, 2024
97115c3
merge
blotus Jul 5, 2024
2628eb3
update tests
blotus Jul 5, 2024
dec3c02
Update index
actions-user Jul 5, 2024
553aa1f
Merge branch 'master' into blotus-patch-1
buixor Jul 31, 2024
dfa19a3
Update taxonomy
actions-user Jul 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions .index.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13942,15 +13942,23 @@
},
"crowdsecurity/ssh-cve-2024-6387": {
"path": "scenarios/crowdsecurity/ssh-cve-2024-6387.yaml",
"version": "0.1",
"version": "0.3",
"versions": {
"0.1": {
"digest": "1a36e33f8743790c5544faa999aa8dd062f6e2b696e16232d3a3f28576119503",
"deprecated": false
},
"0.2": {
"digest": "07cd656d9aaf98762ae805a5e5c18514e9f58fe5211a597a1401b9bb89027841",
"deprecated": false
},
"0.3": {
"digest": "2b56281d406b8cb679e9d095c4cb929b6846e04d2d6b99548114b0773825e828",
"deprecated": false
}
},
"long_description": "RGV0ZWN0IGV4cGxvaXRhdGlvbiBhdHRlbXB0cyBvZiBDVkUtMjAyNC02Mzg3CiA=",
"content": "IyBzc2ggYnJ1dGVmb3JjZQp0eXBlOiBsZWFreQpuYW1lOiBjcm93ZHNlY3VyaXR5L3NzaC1jdmUtMjAyNC02Mzg3CmRlc2NyaXB0aW9uOiAiRGV0ZWN0IGV4cGxvaXRhdGlvbiBhdHRlbXB0IG9mIENWRS0yMDI0LTYzODciCmZpbHRlcjogImV2dC5NZXRhLmxvZ190eXBlID09ICdzc2hfYXV0aF90aW1lb3V0JyIKbGVha3NwZWVkOiAiMTgwcyIKY2FwYWNpdHk6IDMKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmJsYWNraG9sZTogMW0KcmVwcm9jZXNzOiB0cnVlCmxhYmVsczoKICBzZXJ2aWNlOiBzc2gKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTE5MAogICAgLSBjdmUuQ1ZFLTIwMjQtNjM4NwogIGxhYmVsOiAiU1NIIENWRS0yMDI0LTYzODciCiAgYmVoYXZpb3I6ICJzc2g6ZXhwbG9pdCIKICByZW1lZGlhdGlvbjogdHJ1ZQ==",
"content": "IyBzc2ggYnJ1dGVmb3JjZQp0eXBlOiBsZWFreQpuYW1lOiBjcm93ZHNlY3VyaXR5L3NzaC1jdmUtMjAyNC02Mzg3CmRlc2NyaXB0aW9uOiAiRGV0ZWN0IGV4cGxvaXRhdGlvbiBhdHRlbXB0IG9mIENWRS0yMDI0LTYzODciCmZpbHRlcjogImV2dC5NZXRhLmxvZ190eXBlID09ICdzc2hfYXV0aF90aW1lb3V0JyIKbGVha3NwZWVkOiAiMnMiCmNhcGFjaXR5OiAyMApncm91cGJ5OiBldnQuTWV0YS5zb3VyY2VfaXAKYmxhY2tob2xlOiAxbQpyZXByb2Nlc3M6IHRydWUKbGFiZWxzOgogIHNlcnZpY2U6IHNzaAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBjdGk6IGZhbHNlCiAgcHVibGljOiBmYWxzZQogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDExOTAKICAgIC0gY3ZlLkNWRS0yMDI0LTYzODcKICBsYWJlbDogIlNTSCBDVkUtMjAyNC02Mzg3IgogIGJlaGF2aW9yOiAic3NoOmV4cGxvaXQiCiAgcmVtZWRpYXRpb246IHRydWUK",
"description": "Detect exploitation attempt of CVE-2024-6387",
"author": "crowdsecurity",
"labels": {
Expand All @@ -13960,7 +13968,9 @@
"cve.CVE-2024-6387"
],
"confidence": 3,
"cti": false,
"label": "SSH CVE-2024-6387",
"public": false,
"remediation": true,
"service": "ssh",
"spoofable": 0
Expand Down
8 changes: 5 additions & 3 deletions scenarios/crowdsecurity/ssh-cve-2024-6387.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,20 @@ type: leaky
name: crowdsecurity/ssh-cve-2024-6387
description: "Detect exploitation attempt of CVE-2024-6387"
filter: "evt.Meta.log_type == 'ssh_auth_timeout'"
leakspeed: "180s"
capacity: 3
leakspeed: "2s"
capacity: 20
groupby: evt.Meta.source_ip
blackhole: 1m
reprocess: true
labels:
service: ssh
confidence: 3
spoofable: 0
cti: false
public: false
classification:
- attack.T1190
- cve.CVE-2024-6387
label: "SSH CVE-2024-6387"
behavior: "ssh:exploit"
remediation: true
remediation: true
6 changes: 6 additions & 0 deletions scripts/scenario_taxonomy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,7 @@ def main():
confidence = 0
spoofable = 0
in_cti = True
is_public = True

if "label" in labels:
scenario_label = scenario["labels"]["label"]
Expand All @@ -276,6 +277,10 @@ def main():
if not labels["cti"]:
in_cti = False

if "public" in labels:
if not labels["public"]:
is_public = False

if scenario_label == "":
desc = scenario["description"].lower()
if desc.startswith("detect "):
Expand Down Expand Up @@ -320,6 +325,7 @@ def main():
"spoofable": spoofable,
"cti": in_cti,
"service": service,
"public": is_public,
}

if len(cves) > 0:
Expand Down
Loading