minor - update

2023-11-08 20:42:25 +05:30 · 2023-11-08 20:42:25 +05:30 · 823f2a2dce
parent b1846a1871
commit 823f2a2dce
13 changed files with 60 additions and 47 deletions
--- a/http/honeypot/citrix-honeypot-detect.yaml
+++ b/http/honeypot/citrix-honeypot-detect.yaml
@ -9,6 +9,8 @@ info:
    The HTTP response reveals a possible setup of the Citrix web application honeypot.
  metadata:
    max-request: 2
+    verified: true
+    shodan-query: http.title:“Citrix Login” 
    vendor: citrix
    product: citrix
  tags: citrix,honeypot,ir,cti
--- a/http/honeypot/snare-honeypot-detect.yaml
+++ b/http/honeypot/snare-honeypot-detect.yaml
@ -9,6 +9,9 @@ info:
    The response to an incorrect HTTP version reveals a possible setup of the Snare web application honeypot.
  metadata:
    max-request: 2
+    verified: true
+    verified: true
+    shodan-query: Server: Python/3.10 aiohttp/3.8.3
    vendor: snare
    product: http
  tags: snare,honeypot,ir,cti
--- a/network/honeypot/adbhoney-honeypot-cnxn-detect.yaml
+++ b/network/honeypot/adbhoney-honeypot-cnxn-detect.yaml
@ -16,16 +16,17 @@ info:
  tags: adbhoney,android,adb,honeypot,ir,cti,network

 tcp:
-  - host:
-      - "{{Hostname}}"
-    port: 5555
-    inputs:
+  - inputs:
      - data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # CNXN
        type: hex
      - data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73" # CLIENT INFO
        type: hex

+    host:
+      - "{{Hostname}}"
+    port: 5555
    read-size: 1024
+
    matchers:
      - type: word
        words:
--- a/network/honeypot/adbhoney-honeypot-shell-detect.yaml
+++ b/network/honeypot/adbhoney-honeypot-shell-detect.yaml
@ -16,10 +16,7 @@ info:
  tags: adbhoney,android,adb,honeypot,ir,cti,network

 tcp:
-  - host:
-      - "{{Hostname}}"
-    port: 5555
-    inputs:
+  - inputs:
      - data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # CNXN
        type: hex
      - data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73" # CLIENT INFO
@ -28,8 +25,11 @@ tcp:
        type: hex
      - data: "7368656c6c3a70776400" # SHELL: PWD
        type: hex
-
+    host:
+      - "{{Hostname}}"
+    port: 5555
    read-size: 1024
+
    matchers:
      - type: binary
        binary:
--- a/network/honeypot/conpot-siemens-honeypot-detect.yaml
+++ b/network/honeypot/conpot-siemens-honeypot-detect.yaml
@ -14,14 +14,15 @@ info:
  tags: conpot,siemens,honeypot,ir,cti,network

 tcp:
-  - host:
-      - "{{Hostname}}"
-    port: 102
-    inputs:
+  - inputs:
      - data: "0300001611e00000000400c1020100c2020102c0010a"
        type: hex

+    host:
+      - "{{Hostname}}"
+    port: 102
    read-size: 1024
+
    matchers:
      - type: binary
        binary:
--- a/network/honeypot/cowrie-ssh-honeypot-detect.yaml
+++ b/network/honeypot/cowrie-ssh-honeypot-detect.yaml
@ -14,13 +14,13 @@ info:
  tags: cowrie,twisted,ssh,honeypot,ir,cti,network

 tcp:
-  - host:
+  - inputs:
+      - data: "SSH-1337-OpenSSH_9.0\r\n"
+
+    host:
      - '{{Hostname}}'
    port: 22

-    inputs:
-      - data: "SSH-1337-OpenSSH_9.0\r\n"
-
    matchers-condition: and
    matchers:
      - type: regex
--- a/network/honeypot/dionaea-ftp-honeypot-detect.yaml
+++ b/network/honeypot/dionaea-ftp-honeypot-detect.yaml
@ -14,16 +14,17 @@ info:
  tags: dionaea,ftp,honeypot,ir,cti,network

 tcp:
-  - host:
-      - "{{Hostname}}"
-    port: 21
-    inputs:
+  - inputs:
      - data: "USER root\r\n"
        read: 1024
      - data: "PASS \r\n"
        read: 1024

+    host:
+      - "{{Hostname}}"
+    port: 21
    read-size: 2048
+
    matchers:
      - type: word
        words:
--- a/network/honeypot/dionaea-mqtt-honeypot-detect.yaml
+++ b/network/honeypot/dionaea-mqtt-honeypot-detect.yaml
@ -9,20 +9,22 @@ info:
    The response to a MQTTv5 packet differs from real installations, signaling a possible deceptive setup.
  metadata:
    max-request: 2
+    verified: true
+    shodan-query: product:"MQTT"
    vendor: dionaea
    product: mqtt
  tags: dionaea,mqtt,honeypot,ir,cti,network

 tcp:
-  - host:
-      - "{{Hostname}}"
-    port: 1883
-
-    inputs:
+  - inputs:
      - data: "101000044d5154540502003c032100140000"
        type: hex

+    host:
+      - "{{Hostname}}"
+    port: 1883
    read-size: 1024
+
    matchers:
      - type: binary
        binary:
--- a/network/honeypot/dionaea-mysql-honeypot-detect.yaml
+++ b/network/honeypot/dionaea-mysql-honeypot-detect.yaml
@ -20,7 +20,6 @@ tcp:
    host:
      - "{{Hostname}}"
    port: 3306
-
    read-size: 1024

    matchers-condition: and
--- a/network/honeypot/dionaea-smb-honeypot-detect.yaml
+++ b/network/honeypot/dionaea-smb-honeypot-detect.yaml
@ -8,21 +8,22 @@ info:
    A Dionaea SMB honeypot has been identified.
    The response to an SMB connection packet differs from real installations, signaling a possible deceptive setup.
  metadata:
-    max-request: 2
+    max-request: 1
+    shodan-query: port:445
    vendor: dionaea
    product: dionaea
  tags: dionaea,smb,honeypot,ir,cti,network

 tcp:
-  - host:
-      - "{{Hostname}}"
-    port: 445
-
-    inputs:
+  - inputs:
      - data: "00000045ff534d4272000000000801c8000000000000000000000000ffff0100ffff0000002200024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00"
        type: hex

+    host:
+      - "{{Hostname}}"
+    port: 445
    read-size: 1024
+
    matchers:
      - type: binary
        binary:
--- a/network/honeypot/gaspot-honeypot-detect.yaml
+++ b/network/honeypot/gaspot-honeypot-detect.yaml
@ -9,18 +9,20 @@ info:
    The response to the '^AI21400' command differs from real installations, signaling a possible deceptive setup.
  metadata:
    max-request: 2
+    shodan-query: port:10001
    vendor: gaspot
    product: veeder-root
  tags: gaspot,veeder-root,ics,honeypot,ir,cti,network

 tcp:
-  - host:
-      - "{{Hostname}}"
-    port: 10001
-    inputs:
+  - inputs:
      - data: "^AI21400"

+    host:
+      - "{{Hostname}}"
+    port: 10001      
    read-size: 1024
+
    matchers:
      - type: word
        words:
--- a/network/honeypot/mailoney-honeypot-detect.yaml
+++ b/network/honeypot/mailoney-honeypot-detect.yaml
@ -14,15 +14,15 @@ info:
  tags: mailoney,exim,smtp,honeypot,ir,cti,network

 tcp:
-  - host:
-      - "{{Hostname}}"
-    port: 25
-
-    inputs:
+  - inputs:
      - data: "HELP\r\n"
        read: 1024

+    host:
+      - "{{Hostname}}"
+    port: 25
    read-size: 1024
+
    matchers:
      - type: word
        words:
--- a/network/honeypot/redis-honeypot-detect.yaml
+++ b/network/honeypot/redis-honeypot-detect.yaml
@ -9,19 +9,20 @@ info:
    The response to the 'QUIT' command differs from real installations, signaling a possible deceptive setup.
  metadata:
    max-request: 2
+    shodan-query: redis
    vendor: redis
    product: redis
  tags: redis,honeypot,ir,cti,network

 tcp:
-  - host:
-      - "{{Hostname}}"
-    port: 6379
-
-    inputs:
+  - inputs:
      - data: "QUIT"

+    host:
+      - "{{Hostname}}"
+    port: 6379
    read-size: 1024
+
    matchers:
      - type: word
        words: