No detections of repeted port 80 connections
Hello,
A number of IP addresses originating from IP networks in Brazil and Russia, for example, are initiating TCP connections on port 80.
Log example: (850,000 same lines over 24 hours)
IN=eno1 OUT= MAC=aa:ee:11:dd:55:dd:84:b8:02:f0:78:67:08:00 SRC=193.164. 16.166 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=247 ID=7835 DF PROTO=TCP SPT=10011 DPT=80 WINDOW=51894 RES=0x00 SYN URGP=0
Despite being blocked by the firewall, Crowdsec does not detect these attacks despite tens of thousands of “DENY” lines.
Do you also detect this type of attack?
How can Crowdsec automatically block them? Thank you.
A number of IP addresses originating from IP networks in Brazil and Russia, for example, are initiating TCP connections on port 80.
Log example: (850,000 same lines over 24 hours)
IN=eno1 OUT= MAC=aa:ee:11:dd:55:dd:84:b8:02:f0:78:67:08:00 SRC=193.164. 16.166 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=247 ID=7835 DF PROTO=TCP SPT=10011 DPT=80 WINDOW=51894 RES=0x00 SYN URGP=0
Despite being blocked by the firewall, Crowdsec does not detect these attacks despite tens of thousands of “DENY” lines.
Do you also detect this type of attack?
How can Crowdsec automatically block them? Thank you.
