From 2ec8023d84ec391f2805b2619e067c740231a4de Mon Sep 17 00:00:00 2001 From: thesubtlety <1726821+thesubtlety@users.noreply.github.com> Date: Sat, 18 Dec 2021 22:08:05 -0700 Subject: [PATCH] added detect cowrie ssh honeypot template --- network/detect-cowrie-honeypot.yaml | 49 +++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 network/detect-cowrie-honeypot.yaml diff --git a/network/detect-cowrie-honeypot.yaml b/network/detect-cowrie-honeypot.yaml new file mode 100644 index 0000000000..3ee1bbccc1 --- /dev/null +++ b/network/detect-cowrie-honeypot.yaml @@ -0,0 +1,49 @@ +id: cowrie-honeypot-detect + +info: + name: Detect Cowrie SSH Honeypot + author: thesubtlety + tags: 'network, ssh' + severity: info + reference: + - https://web.archive.org/web/20170826075224/https://morris.sc/detecting-kippo-ssh-honeypots/ + - https://github.com/blazeinfosec/detect-kippo-cowrie/blob/master/detectKippoCowrie.py + - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/detect_kippo.rb + +network: + - host: + - '{{Hostname}}' + - '{{Hostname}}:22' + inputs: + - data: "\n\n\n\n\n\n\n\n" + read-size: 1024 + + matchers-condition: and + matchers: + - type: word + words: + - SSH-2.0-OpenSSH_5.1p1 Debian-5 + - SSH-1.99-OpenSSH_4.3 + - SSH-1.99-OpenSSH_4.7 + - SSH-1.99-Sun_SSH_1.1 + - SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1 + - SSH-2.0-OpenSSH_4.3 + - SSH-2.0-OpenSSH_4.6 + - SSH-2.0-OpenSSH_5.1p1 Debian-5 + - SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901 + - SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5 + - SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6 + - SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 + - SSH-2.0-OpenSSH_5.5p1 Debian-6 + - SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1 + - SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2 + - SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503 + - SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 + - SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 + - SSH-2.0-OpenSSH_5.9 + - SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 + condition: or + - type: word + words: + - Invalid SSH identification string +