delete

http/honeypot/cisco-asa-honeypot-detect.yaml

@@ -1,30 +0,0 @@
-id: cisco-asa-honeypot-detect
-
-info:
-  name: Cisco ASA Honeypot - Detect
-  author: UnaPibaGeek
-  severity: info
-  description: |
-    A Cisco ASA honeypot has been identified.
-    The HTTP response reveals a possible setup of the Cisco ASA web application honeypot.
-  metadata:
-    max-request: 2
-    vendor: cisco
-    product: asa
-  tags: cisco,asa,honeypot,ir,cti
-
-http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/+CSCOE+/logon.html?fcadbadd=1"
-
-    matchers-condition: and
-    matchers:
-      - type: status
-        status:
-          - 200
-
-      - type: word
-        part: body
-        words:
-          - '<input style="font-weight: bold; cursor: pointer;" type="submit" name="Login" value="Logon" />'

network/honeypot/dionaea-mongodb-honeypot-detect.yaml

@@ -1,36 +0,0 @@
-id: dionaea-mongodb-honeypot-detect
-
-info:
-  name: Dionaea MongoDB Honeypot - Detect
-  author: UnaPibaGeek
-  severity: info
-  description: |
-    A MongoDB honeypot has been identified.
-    The response to the 'buildinfo' command differs from real installations, signaling a possible deceptive setup.
-  metadata:
-    max-request: 2
-    product: dionaea
-    vendor: mongodb
-  tags: dionaea,mongodb,honeypot,ir,cti,network
-
-tcp:
-  - inputs:
-      - data: 3b0000003c300000ffffffffd40700000000000061646d696e2e24636d640000000000ffffffff14000000106275696c64696e666f000100000000
-        type: hex
-
-    host:
-      - "{{Hostname}}"
-    port: 27017
-    read-size: 2048
-
-    matchers:
-      - type: word
-        part: raw
-        words:
-          - "version"
-        negative: true
-
-    extractors:
-      - type: regex
-        regex:
-          - "([A-Za-z:0-9.]+)"