Update and rename detect-cowrie-honeypot.yaml to cowrie-honeypot-detect.yaml

2021-12-19 14:34:36 +05:30 · 2021-12-19 14:34:36 +05:30 · 6b8548a87c
parent 2ec8023d84
commit 6b8548a87c
2 changed files with 30 additions and 49 deletions
--- a/network/cowrie-honeypot-detect.yaml
+++ b/network/cowrie-honeypot-detect.yaml
@ -0,0 +1,30 @@
+id: cowrie-honeypot-detect
+
+info:
+  name: Cowrie SSH Honeypot Detect
+  author: thesubtlety
+  severity: info
+  reference:
+    - https://web.archive.org/web/20170826075224/https://morris.sc/detecting-kippo-ssh-honeypots/
+    - https://github.com/blazeinfosec/detect-kippo-cowrie/blob/master/detectKippoCowrie.py
+    - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/detect_kippo.rb
+  tags: network,ssh,honeypot
+
+network:
+  - host:
+      - '{{Hostname}}'
+      - '{{Hostname}}:22'
+
+    inputs:
+      - data: "\n"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - 'SSH\-([0-9.-A-Za-z_ ]+)'
+
+      - type: word
+        words:
+          - Invalid SSH identification string
--- a/network/detect-cowrie-honeypot.yaml
+++ b/network/detect-cowrie-honeypot.yaml
@ -1,49 +0,0 @@
-id: cowrie-honeypot-detect
-
-info:
-  name: Detect Cowrie SSH Honeypot
-  author: thesubtlety
-  tags: 'network, ssh'
-  severity: info
-  reference:
-    - https://web.archive.org/web/20170826075224/https://morris.sc/detecting-kippo-ssh-honeypots/
-    - https://github.com/blazeinfosec/detect-kippo-cowrie/blob/master/detectKippoCowrie.py
-    - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/detect_kippo.rb
-
-network:
-  - host:
-      - '{{Hostname}}'
-      - '{{Hostname}}:22'
-    inputs:
-      - data: "\n\n\n\n\n\n\n\n"
-        read-size: 1024
-
-    matchers-condition: and
-    matchers:
-      - type: word
-        words:
-          - SSH-2.0-OpenSSH_5.1p1 Debian-5
-          - SSH-1.99-OpenSSH_4.3
-          - SSH-1.99-OpenSSH_4.7
-          - SSH-1.99-Sun_SSH_1.1
-          - SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1
-          - SSH-2.0-OpenSSH_4.3
-          - SSH-2.0-OpenSSH_4.6
-          - SSH-2.0-OpenSSH_5.1p1 Debian-5
-          - SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
-          - SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
-          - SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
-          - SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
-          - SSH-2.0-OpenSSH_5.5p1 Debian-6
-          - SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
-          - SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
-          - SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
-          - SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
-          - SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
-          - SSH-2.0-OpenSSH_5.9
-          - SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
-        condition: or
-      - type: word
-        words:
-          - Invalid SSH identification string
-