CyberMind-FR
1fb2b11d4a
CrowdSec Dashboard: - Refactor all views (alerts, bouncers, decisions, overview, settings) - Add soc.css for Security Operations Center styling - Remove 3000+ lines of redundant code CrowdSec Custom Parsers & Scenarios: - Add secubox-gitea parser and bruteforce scenario - Add secubox-haproxy parser and bruteforce scenario - Add secubox-streamlit parser and bruteforce scenario - Add secubox-webapp parser and bruteforce scenario - Update Makefile for new parser/scenario files HAProxy: - Update api.js, backends.js view improvements - Update luci.haproxy RPCD backend - Update haproxyctl helper script Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
44 lines
1.1 KiB
YAML
44 lines
1.1 KiB
YAML
# CrowdSec scenario for HAProxy authentication bruteforce
|
|
# Detects repeated 401/403 responses indicating auth failures
|
|
|
|
type: leaky
|
|
name: secubox/haproxy-auth-bruteforce
|
|
description: "Detect bruteforce attempts via HAProxy"
|
|
filter: "evt.Meta.log_type == 'haproxy' && evt.Meta.auth_success == 'false'"
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 5
|
|
leakspeed: 30s
|
|
blackhole: 5m
|
|
labels:
|
|
service: haproxy
|
|
type: bruteforce
|
|
remediation: true
|
|
---
|
|
# Detect rapid HAProxy requests (potential DDoS/scan)
|
|
type: leaky
|
|
name: secubox/haproxy-flooding
|
|
description: "Detect request flooding via HAProxy"
|
|
filter: "evt.Meta.log_type == 'haproxy'"
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 100
|
|
leakspeed: 5s
|
|
blackhole: 10m
|
|
labels:
|
|
service: haproxy
|
|
type: flooding
|
|
remediation: true
|
|
---
|
|
# Detect HAProxy backend targeting (scanning backends)
|
|
type: leaky
|
|
name: secubox/haproxy-backend-scan
|
|
description: "Detect backend scanning via HAProxy"
|
|
filter: "evt.Meta.log_type == 'haproxy' && evt.Parsed.http_status == '503'"
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 10
|
|
leakspeed: 20s
|
|
blackhole: 10m
|
|
labels:
|
|
service: haproxy
|
|
type: backend_scan
|
|
remediation: true
|