From 823f2a2dce776dbd0fe4dc156f17a2e3be2e993a Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Wed, 8 Nov 2023 20:42:25 +0530 Subject: [PATCH] minor - update --- http/honeypot/citrix-honeypot-detect.yaml | 2 ++ http/honeypot/snare-honeypot-detect.yaml | 3 +++ network/honeypot/adbhoney-honeypot-cnxn-detect.yaml | 9 +++++---- .../honeypot/adbhoney-honeypot-shell-detect.yaml | 10 +++++----- .../honeypot/conpot-siemens-honeypot-detect.yaml | 9 +++++---- network/honeypot/cowrie-ssh-honeypot-detect.yaml | 8 ++++---- network/honeypot/dionaea-ftp-honeypot-detect.yaml | 9 +++++---- network/honeypot/dionaea-mqtt-honeypot-detect.yaml | 12 +++++++----- network/honeypot/dionaea-mysql-honeypot-detect.yaml | 1 - network/honeypot/dionaea-smb-honeypot-detect.yaml | 13 +++++++------ network/honeypot/gaspot-honeypot-detect.yaml | 10 ++++++---- network/honeypot/mailoney-honeypot-detect.yaml | 10 +++++----- network/honeypot/redis-honeypot-detect.yaml | 11 ++++++----- 13 files changed, 60 insertions(+), 47 deletions(-) diff --git a/http/honeypot/citrix-honeypot-detect.yaml b/http/honeypot/citrix-honeypot-detect.yaml index 60a386269d..c37ae2535e 100644 --- a/http/honeypot/citrix-honeypot-detect.yaml +++ b/http/honeypot/citrix-honeypot-detect.yaml @@ -9,6 +9,8 @@ info: The HTTP response reveals a possible setup of the Citrix web application honeypot. metadata: max-request: 2 + verified: true + shodan-query: http.title:“Citrix Login” vendor: citrix product: citrix tags: citrix,honeypot,ir,cti diff --git a/http/honeypot/snare-honeypot-detect.yaml b/http/honeypot/snare-honeypot-detect.yaml index 9e467f3fe3..930f365693 100644 --- a/http/honeypot/snare-honeypot-detect.yaml +++ b/http/honeypot/snare-honeypot-detect.yaml @@ -9,6 +9,9 @@ info: The response to an incorrect HTTP version reveals a possible setup of the Snare web application honeypot. metadata: max-request: 2 + verified: true + verified: true + shodan-query: Server: Python/3.10 aiohttp/3.8.3 vendor: snare product: http tags: snare,honeypot,ir,cti diff --git a/network/honeypot/adbhoney-honeypot-cnxn-detect.yaml b/network/honeypot/adbhoney-honeypot-cnxn-detect.yaml index 72e6cff24a..372637f83e 100644 --- a/network/honeypot/adbhoney-honeypot-cnxn-detect.yaml +++ b/network/honeypot/adbhoney-honeypot-cnxn-detect.yaml @@ -16,16 +16,17 @@ info: tags: adbhoney,android,adb,honeypot,ir,cti,network tcp: - - host: - - "{{Hostname}}" - port: 5555 - inputs: + - inputs: - data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # CNXN type: hex - data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73" # CLIENT INFO type: hex + host: + - "{{Hostname}}" + port: 5555 read-size: 1024 + matchers: - type: word words: diff --git a/network/honeypot/adbhoney-honeypot-shell-detect.yaml b/network/honeypot/adbhoney-honeypot-shell-detect.yaml index c9fe8ec17f..3bbac3fd51 100644 --- a/network/honeypot/adbhoney-honeypot-shell-detect.yaml +++ b/network/honeypot/adbhoney-honeypot-shell-detect.yaml @@ -16,10 +16,7 @@ info: tags: adbhoney,android,adb,honeypot,ir,cti,network tcp: - - host: - - "{{Hostname}}" - port: 5555 - inputs: + - inputs: - data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # CNXN type: hex - data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73" # CLIENT INFO @@ -28,8 +25,11 @@ tcp: type: hex - data: "7368656c6c3a70776400" # SHELL: PWD type: hex - + host: + - "{{Hostname}}" + port: 5555 read-size: 1024 + matchers: - type: binary binary: diff --git a/network/honeypot/conpot-siemens-honeypot-detect.yaml b/network/honeypot/conpot-siemens-honeypot-detect.yaml index 133839384f..21da8a58ee 100644 --- a/network/honeypot/conpot-siemens-honeypot-detect.yaml +++ b/network/honeypot/conpot-siemens-honeypot-detect.yaml @@ -14,14 +14,15 @@ info: tags: conpot,siemens,honeypot,ir,cti,network tcp: - - host: - - "{{Hostname}}" - port: 102 - inputs: + - inputs: - data: "0300001611e00000000400c1020100c2020102c0010a" type: hex + host: + - "{{Hostname}}" + port: 102 read-size: 1024 + matchers: - type: binary binary: diff --git a/network/honeypot/cowrie-ssh-honeypot-detect.yaml b/network/honeypot/cowrie-ssh-honeypot-detect.yaml index abbf3c0f9c..dbd87ad24b 100644 --- a/network/honeypot/cowrie-ssh-honeypot-detect.yaml +++ b/network/honeypot/cowrie-ssh-honeypot-detect.yaml @@ -14,13 +14,13 @@ info: tags: cowrie,twisted,ssh,honeypot,ir,cti,network tcp: - - host: + - inputs: + - data: "SSH-1337-OpenSSH_9.0\r\n" + + host: - '{{Hostname}}' port: 22 - inputs: - - data: "SSH-1337-OpenSSH_9.0\r\n" - matchers-condition: and matchers: - type: regex diff --git a/network/honeypot/dionaea-ftp-honeypot-detect.yaml b/network/honeypot/dionaea-ftp-honeypot-detect.yaml index 1e7d6fdc7c..e6a35772d3 100644 --- a/network/honeypot/dionaea-ftp-honeypot-detect.yaml +++ b/network/honeypot/dionaea-ftp-honeypot-detect.yaml @@ -14,16 +14,17 @@ info: tags: dionaea,ftp,honeypot,ir,cti,network tcp: - - host: - - "{{Hostname}}" - port: 21 - inputs: + - inputs: - data: "USER root\r\n" read: 1024 - data: "PASS \r\n" read: 1024 + host: + - "{{Hostname}}" + port: 21 read-size: 2048 + matchers: - type: word words: diff --git a/network/honeypot/dionaea-mqtt-honeypot-detect.yaml b/network/honeypot/dionaea-mqtt-honeypot-detect.yaml index 4242b1d5b9..c97064e4eb 100644 --- a/network/honeypot/dionaea-mqtt-honeypot-detect.yaml +++ b/network/honeypot/dionaea-mqtt-honeypot-detect.yaml @@ -9,20 +9,22 @@ info: The response to a MQTTv5 packet differs from real installations, signaling a possible deceptive setup. metadata: max-request: 2 + verified: true + shodan-query: product:"MQTT" vendor: dionaea product: mqtt tags: dionaea,mqtt,honeypot,ir,cti,network tcp: - - host: - - "{{Hostname}}" - port: 1883 - - inputs: + - inputs: - data: "101000044d5154540502003c032100140000" type: hex + host: + - "{{Hostname}}" + port: 1883 read-size: 1024 + matchers: - type: binary binary: diff --git a/network/honeypot/dionaea-mysql-honeypot-detect.yaml b/network/honeypot/dionaea-mysql-honeypot-detect.yaml index 9598d9b98c..35b80df36c 100644 --- a/network/honeypot/dionaea-mysql-honeypot-detect.yaml +++ b/network/honeypot/dionaea-mysql-honeypot-detect.yaml @@ -20,7 +20,6 @@ tcp: host: - "{{Hostname}}" port: 3306 - read-size: 1024 matchers-condition: and diff --git a/network/honeypot/dionaea-smb-honeypot-detect.yaml b/network/honeypot/dionaea-smb-honeypot-detect.yaml index ca7c337997..175e1e22de 100644 --- a/network/honeypot/dionaea-smb-honeypot-detect.yaml +++ b/network/honeypot/dionaea-smb-honeypot-detect.yaml @@ -8,21 +8,22 @@ info: A Dionaea SMB honeypot has been identified. The response to an SMB connection packet differs from real installations, signaling a possible deceptive setup. metadata: - max-request: 2 + max-request: 1 + shodan-query: port:445 vendor: dionaea product: dionaea tags: dionaea,smb,honeypot,ir,cti,network tcp: - - host: - - "{{Hostname}}" - port: 445 - - inputs: + - inputs: - data: "00000045ff534d4272000000000801c8000000000000000000000000ffff0100ffff0000002200024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00" type: hex + host: + - "{{Hostname}}" + port: 445 read-size: 1024 + matchers: - type: binary binary: diff --git a/network/honeypot/gaspot-honeypot-detect.yaml b/network/honeypot/gaspot-honeypot-detect.yaml index eae24c126b..c662e97ca1 100644 --- a/network/honeypot/gaspot-honeypot-detect.yaml +++ b/network/honeypot/gaspot-honeypot-detect.yaml @@ -9,18 +9,20 @@ info: The response to the '^AI21400' command differs from real installations, signaling a possible deceptive setup. metadata: max-request: 2 + shodan-query: port:10001 vendor: gaspot product: veeder-root tags: gaspot,veeder-root,ics,honeypot,ir,cti,network tcp: - - host: - - "{{Hostname}}" - port: 10001 - inputs: + - inputs: - data: "^AI21400" + host: + - "{{Hostname}}" + port: 10001 read-size: 1024 + matchers: - type: word words: diff --git a/network/honeypot/mailoney-honeypot-detect.yaml b/network/honeypot/mailoney-honeypot-detect.yaml index 9a586073a2..aa7bd399f4 100644 --- a/network/honeypot/mailoney-honeypot-detect.yaml +++ b/network/honeypot/mailoney-honeypot-detect.yaml @@ -14,15 +14,15 @@ info: tags: mailoney,exim,smtp,honeypot,ir,cti,network tcp: - - host: - - "{{Hostname}}" - port: 25 - - inputs: + - inputs: - data: "HELP\r\n" read: 1024 + host: + - "{{Hostname}}" + port: 25 read-size: 1024 + matchers: - type: word words: diff --git a/network/honeypot/redis-honeypot-detect.yaml b/network/honeypot/redis-honeypot-detect.yaml index 40a9f57c97..baba74b66b 100644 --- a/network/honeypot/redis-honeypot-detect.yaml +++ b/network/honeypot/redis-honeypot-detect.yaml @@ -9,19 +9,20 @@ info: The response to the 'QUIT' command differs from real installations, signaling a possible deceptive setup. metadata: max-request: 2 + shodan-query: redis vendor: redis product: redis tags: redis,honeypot,ir,cti,network tcp: - - host: - - "{{Hostname}}" - port: 6379 - - inputs: + - inputs: - data: "QUIT" + host: + - "{{Hostname}}" + port: 6379 read-size: 1024 + matchers: - type: word words: