added detect cowrie ssh honeypot template

2021-12-18 22:08:05 -07:00 · 2021-12-18 22:08:05 -07:00 · 2ec8023d84
parent 349a2b7ffb
commit 2ec8023d84
1 changed files with 49 additions and 0 deletions
--- a/network/detect-cowrie-honeypot.yaml
+++ b/network/detect-cowrie-honeypot.yaml
@ -0,0 +1,49 @@
+id: cowrie-honeypot-detect
+
+info:
+  name: Detect Cowrie SSH Honeypot
+  author: thesubtlety
+  tags: 'network, ssh'
+  severity: info
+  reference:
+    - https://web.archive.org/web/20170826075224/https://morris.sc/detecting-kippo-ssh-honeypots/
+    - https://github.com/blazeinfosec/detect-kippo-cowrie/blob/master/detectKippoCowrie.py
+    - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/detect_kippo.rb
+
+network:
+  - host:
+      - '{{Hostname}}'
+      - '{{Hostname}}:22'
+    inputs:
+      - data: "\n\n\n\n\n\n\n\n"
+        read-size: 1024
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - SSH-2.0-OpenSSH_5.1p1 Debian-5
+          - SSH-1.99-OpenSSH_4.3
+          - SSH-1.99-OpenSSH_4.7
+          - SSH-1.99-Sun_SSH_1.1
+          - SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1
+          - SSH-2.0-OpenSSH_4.3
+          - SSH-2.0-OpenSSH_4.6
+          - SSH-2.0-OpenSSH_5.1p1 Debian-5
+          - SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
+          - SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
+          - SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
+          - SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
+          - SSH-2.0-OpenSSH_5.5p1 Debian-6
+          - SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
+          - SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
+          - SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
+          - SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
+          - SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
+          - SSH-2.0-OpenSSH_5.9
+          - SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
+        condition: or
+      - type: word
+        words:
+          - Invalid SSH identification string
+