Fix labels in SSH scenarios (#865)

* Fix labels in SSH scenarios * Update taxonomy * Update index --------- Co-authored-by: GitHub Action <[email protected]>
crowdsecurity · Oct 30, 2023 · 4440f68 · 4440f68
1 parent efafee5
commit 4440f68
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 11 deletions.
diff --git a/.index.json b/.index.json
@@ -9943,7 +9943,7 @@
   },
   "crowdsecurity/ssh-bf": {
    "path": "scenarios/crowdsecurity/ssh-bf.yaml",
-   "version": "0.2",
+   "version": "0.3",
    "versions": {
     "0.1": {
      "digest": "4441dcff07020f6690d998b7101e642359ba405c2abb83565bbbdcee36de280f",
@@ -9952,10 +9952,14 @@
     "0.2": {
      "digest": "94b1d6f04e9119ea1adb7fc70017fd108cede97bddbaf50b0b2bebdcc887ea28",
      "deprecated": false
+    },
+    "0.3": {
+     "digest": "242f36684d66bbae3044e576b7cfffef62d5323465f3f74f87923167c6d93356",
+     "deprecated": false
     }
    },
    "long_description": "RGV0ZWN0IGZhaWxlZCBzc2ggYXV0aGVudGljYXRpb25zIDoKCiAtIGxlYWtzcGVlZCBvZiAxMHMsIGNhcGFjaXR5IG9mIDUgb24gc2FtZSB0YXJnZXQgdXNlcgogLSBsZWFrc3BlZWQgb2YgMTBzLCBjYXBhY2l0eSBvZiA1IHVuaXF1ZSBkaXN0aW5jdCB1c2VycwogCg==",
-   "content": "IyBzc2ggYnJ1dGVmb3JjZQp0eXBlOiBsZWFreQpuYW1lOiBjcm93ZHNlY3VyaXR5L3NzaC1iZgpkZXNjcmlwdGlvbjogIkRldGVjdCBzc2ggYnJ1dGVmb3JjZSIKZmlsdGVyOiAiZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ3NzaF9mYWlsZWQtYXV0aCciCmxlYWtzcGVlZDogIjEwcyIKcmVmZXJlbmNlczoKICAtIGh0dHA6Ly93aWtpcGVkaWEuY29tL3NzaC1iZi1pcy1iYWQKY2FwYWNpdHk6IDUKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmJsYWNraG9sZTogMW0KcmVwcm9jZXNzOiB0cnVlCmxhYmVsczoKICBzZXJ2aWNlOiBzc2gKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTExMAogIGxhYmVsOiAiU1NIIEJydXRlZm9yY2UiCiAgYmVoYXZpb3I6ICJzc2g6YnJ1dGVmb3JjZSIKICByZW1lZGlhdGlvbjogdHJ1ZQotLS0KIyBzc2ggdXNlci1lbnVtCnR5cGU6IGxlYWt5Cm5hbWU6IGNyb3dkc2VjdXJpdHkvc3NoLWJmX3VzZXItZW51bQpkZXNjcmlwdGlvbjogIkRldGVjdCBzc2ggdXNlciBlbnVtIGJydXRlZm9yY2UiCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ3NzaF9mYWlsZWQtYXV0aCcKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmRpc3RpbmN0OiBldnQuTWV0YS50YXJnZXRfdXNlcgpsZWFrc3BlZWQ6IDEwcwpjYXBhY2l0eTogNQpibGFja2hvbGU6IDFtCmxhYmVsczoKICBzZXJ2aWNlOiBzc2gKICByZW1lZGlhdGlvbjogdHJ1ZQogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gYXR0YWNrLlQxNTg5CiAgYmVoYXZpb3I6ICJzc2g6YnJ1dGVmb3JjZSIKICBsYWJlbDogIlNTSCBCcnV0ZWZvcmNlIgo=",
+   "content": "IyBzc2ggYnJ1dGVmb3JjZQp0eXBlOiBsZWFreQpuYW1lOiBjcm93ZHNlY3VyaXR5L3NzaC1iZgpkZXNjcmlwdGlvbjogIkRldGVjdCBzc2ggYnJ1dGVmb3JjZSIKZmlsdGVyOiAiZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ3NzaF9mYWlsZWQtYXV0aCciCmxlYWtzcGVlZDogIjEwcyIKcmVmZXJlbmNlczoKICAtIGh0dHA6Ly93aWtpcGVkaWEuY29tL3NzaC1iZi1pcy1iYWQKY2FwYWNpdHk6IDUKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmJsYWNraG9sZTogMW0KcmVwcm9jZXNzOiB0cnVlCmxhYmVsczoKICBzZXJ2aWNlOiBzc2gKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTExMAogIGxhYmVsOiAiU1NIIEJydXRlZm9yY2UiCiAgYmVoYXZpb3I6ICJzc2g6YnJ1dGVmb3JjZSIKICByZW1lZGlhdGlvbjogdHJ1ZQotLS0KIyBzc2ggdXNlci1lbnVtCnR5cGU6IGxlYWt5Cm5hbWU6IGNyb3dkc2VjdXJpdHkvc3NoLWJmX3VzZXItZW51bQpkZXNjcmlwdGlvbjogIkRldGVjdCBzc2ggdXNlciBlbnVtIGJydXRlZm9yY2UiCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ3NzaF9mYWlsZWQtYXV0aCcKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmRpc3RpbmN0OiBldnQuTWV0YS50YXJnZXRfdXNlcgpsZWFrc3BlZWQ6IDEwcwpjYXBhY2l0eTogNQpibGFja2hvbGU6IDFtCmxhYmVsczoKICBzZXJ2aWNlOiBzc2gKICByZW1lZGlhdGlvbjogdHJ1ZQogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gYXR0YWNrLlQxNTg5CiAgYmVoYXZpb3I6ICJzc2g6YnJ1dGVmb3JjZSIKICBsYWJlbDogIlNTSCBVc2VyIEVudW1lcmF0aW9uIgo=",
    "description": "Detect ssh bruteforce",
    "author": "crowdsecurity",
    "references": [
@@ -9975,7 +9979,7 @@
   },
   "crowdsecurity/ssh-slow-bf": {
    "path": "scenarios/crowdsecurity/ssh-slow-bf.yaml",
-   "version": "0.3",
+   "version": "0.4",
    "versions": {
     "0.1": {
      "digest": "1b910bf7af59dab8dfbba8a735aafb3e4871d1237b29d56f53d7c0eece0381cf",
@@ -9988,10 +9992,14 @@
     "0.3": {
      "digest": "313b1dc11a05f8beb6718cdeefe79866122eca26394efe2b814d5d2e15c28f4d",
      "deprecated": false
+    },
+    "0.4": {
+     "digest": "892f9a153c4dafb5392ba40d70616e88896571be8f4cc00996e7f5e8277c869e",
+     "deprecated": false
     }
    },
    "long_description": "RGV0ZWN0IHNsb3cgc3NoIGJydXRlZm9yY2UgYXV0aGVudGljYXRpb25zIDoKCiAtIGxlYWtzcGVlZCBvZiA2MHMsIGNhcGFjaXR5IG9mIDEwIG9uIHNhbWUgdGFyZ2V0IHVzZXIKIC0gbGVha3NwZWVkIG9mIDYwcywgY2FwYWNpdHkgb2YgMTAgdW5pcXVlIGRpc3RpbmN0IHVzZXJzCiAK",
-   "content": "IyBzc2ggYnJ1dGVmb3JjZQp0eXBlOiBsZWFreQpuYW1lOiBjcm93ZHNlY3VyaXR5L3NzaC1zbG93LWJmCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHNsb3cgc3NoIGJydXRlZm9yY2UiCmZpbHRlcjogImV2dC5NZXRhLmxvZ190eXBlID09ICdzc2hfZmFpbGVkLWF1dGgnIgpsZWFrc3BlZWQ6ICI2MHMiCnJlZmVyZW5jZXM6CiAgLSBodHRwOi8vd2lraXBlZGlhLmNvbS9zc2gtYmYtaXMtYmFkCmNhcGFjaXR5OiAxMApncm91cGJ5OiBldnQuTWV0YS5zb3VyY2VfaXAKYmxhY2tob2xlOiAxbQpyZXByb2Nlc3M6IHRydWUKbGFiZWxzOgogIHNlcnZpY2U6IHNzaAogIHJlbWVkaWF0aW9uOiB0cnVlCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDExMTAKICBiZWhhdmlvcjogInNzaDpicnV0ZWZvcmNlIgogIGxhYmVsOiAiU1NIIEJydXRlZm9yY2UiCi0tLQojIHNzaCB1c2VyLWVudW0KdHlwZTogbGVha3kKbmFtZTogY3Jvd2RzZWN1cml0eS9zc2gtc2xvdy1iZl91c2VyLWVudW0KZGVzY3JpcHRpb246ICJEZXRlY3Qgc2xvdyBzc2ggdXNlciBlbnVtIGJydXRlZm9yY2UiCmZpbHRlcjogZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ3NzaF9mYWlsZWQtYXV0aCcKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmRpc3RpbmN0OiBldnQuTWV0YS50YXJnZXRfdXNlcgpsZWFrc3BlZWQ6IDYwcwpjYXBhY2l0eTogMTAKYmxhY2tob2xlOiAxbQpsYWJlbHM6CiAgc2VydmljZTogc3NoCiAgcmVtZWRpYXRpb246IHRydWUKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTExMAogIGJlaGF2aW9yOiAic3NoOmJydXRlZm9yY2UiCiAgbGFiZWw6ICJTU0ggQnJ1dGVmb3JjZSIK",
+   "content": "IyBzc2ggYnJ1dGVmb3JjZQp0eXBlOiBsZWFreQpuYW1lOiBjcm93ZHNlY3VyaXR5L3NzaC1zbG93LWJmCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IHNsb3cgc3NoIGJydXRlZm9yY2UiCmZpbHRlcjogImV2dC5NZXRhLmxvZ190eXBlID09ICdzc2hfZmFpbGVkLWF1dGgnIgpsZWFrc3BlZWQ6ICI2MHMiCnJlZmVyZW5jZXM6CiAgLSBodHRwOi8vd2lraXBlZGlhLmNvbS9zc2gtYmYtaXMtYmFkCmNhcGFjaXR5OiAxMApncm91cGJ5OiBldnQuTWV0YS5zb3VyY2VfaXAKYmxhY2tob2xlOiAxbQpyZXByb2Nlc3M6IHRydWUKbGFiZWxzOgogIHNlcnZpY2U6IHNzaAogIHJlbWVkaWF0aW9uOiB0cnVlCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDExMTAKICBiZWhhdmlvcjogInNzaDpicnV0ZWZvcmNlIgogIGxhYmVsOiAiU1NIIFNsb3cgQnJ1dGVmb3JjZSIKLS0tCiMgc3NoIHVzZXItZW51bQp0eXBlOiBsZWFreQpuYW1lOiBjcm93ZHNlY3VyaXR5L3NzaC1zbG93LWJmX3VzZXItZW51bQpkZXNjcmlwdGlvbjogIkRldGVjdCBzbG93IHNzaCB1c2VyIGVudW0gYnJ1dGVmb3JjZSIKZmlsdGVyOiBldnQuTWV0YS5sb2dfdHlwZSA9PSAnc3NoX2ZhaWxlZC1hdXRoJwpncm91cGJ5OiBldnQuTWV0YS5zb3VyY2VfaXAKZGlzdGluY3Q6IGV2dC5NZXRhLnRhcmdldF91c2VyCmxlYWtzcGVlZDogNjBzCmNhcGFjaXR5OiAxMApibGFja2hvbGU6IDFtCmxhYmVsczoKICBzZXJ2aWNlOiBzc2gKICByZW1lZGlhdGlvbjogdHJ1ZQogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gYXR0YWNrLlQxMTEwCiAgYmVoYXZpb3I6ICJzc2g6YnJ1dGVmb3JjZSIKICBsYWJlbDogIlNTSCBTbG93IFVzZXIgRW51bWVyYXRpb24iCg==",
    "description": "Detect slow ssh bruteforce",
    "author": "crowdsecurity",
    "references": [
@@ -10003,7 +10011,7 @@
      "attack.T1110"
     ],
     "confidence": 3,
-    "label": "SSH Bruteforce",
+    "label": "SSH Slow Bruteforce",
     "remediation": true,
     "service": "ssh",
     "spoofable": 0

diff --git a/scenarios/crowdsecurity/ssh-bf.yaml b/scenarios/crowdsecurity/ssh-bf.yaml
@@ -38,4 +38,4 @@ labels:
   classification:
     - attack.T1589
   behavior: "ssh:bruteforce"
-  label: "SSH Bruteforce"
+  label: "SSH User Enumeration"
diff --git a/scenarios/crowdsecurity/ssh-slow-bf.yaml b/scenarios/crowdsecurity/ssh-slow-bf.yaml
@@ -18,7 +18,7 @@ labels:
   classification:
     - attack.T1110
   behavior: "ssh:bruteforce"
-  label: "SSH Bruteforce"
+  label: "SSH Slow Bruteforce"
 ---
 # ssh user-enum
 type: leaky
@@ -38,4 +38,4 @@ labels:
   classification:
     - attack.T1110
   behavior: "ssh:bruteforce"
-  label: "SSH Bruteforce"
+  label: "SSH Slow User Enumeration"
diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json
@@ -2422,7 +2422,7 @@
   "crowdsecurity/ssh-bf_user-enum": {
     "name": "crowdsecurity/ssh-bf_user-enum",
     "description": "Detect ssh user enum bruteforce",
-    "label": "SSH Bruteforce",
+    "label": "SSH User Enumeration",
     "behaviors": [
       "ssh:bruteforce"
     ],
@@ -2437,7 +2437,7 @@
   "crowdsecurity/ssh-slow-bf": {
     "name": "crowdsecurity/ssh-slow-bf",
     "description": "Detect slow ssh bruteforce",
-    "label": "SSH Bruteforce",
+    "label": "SSH Slow Bruteforce",
     "behaviors": [
       "ssh:bruteforce"
     ],
@@ -2452,7 +2452,7 @@
   "crowdsecurity/ssh-slow-bf_user-enum": {
     "name": "crowdsecurity/ssh-slow-bf_user-enum",
     "description": "Detect slow ssh user enum bruteforce",
-    "label": "SSH Bruteforce",
+    "label": "SSH Slow User Enumeration",
     "behaviors": [
       "ssh:bruteforce"
     ],