Merge pull request #5130 from HJ23/master

network script updates
2022-08-17 05:50:13 +04:00 · 2022-08-17 05:50:13 +04:00 · fec3a8a8a8
parent 84d9e48b8a 1c07488c5f
commit fec3a8a8a8
21 changed files with 52 additions and 10 deletions
--- a/network/cowrie-honeypot-detect.yaml
+++ b/network/cowrie-honeypot-detect.yaml
@ -4,6 +4,8 @@ info:
  name: Cowrie SSH Honeypot Detect
  author: thesubtlety
  severity: info
+  description: |
+    Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.
  reference:
    - https://web.archive.org/web/20170826075224/https://morris.sc/detecting-kippo-ssh-honeypots/
    - https://github.com/blazeinfosec/detect-kippo-cowrie/blob/master/detectKippoCowrie.py
--- a/network/detect-addpac-voip-gateway.yaml
+++ b/network/detect-addpac-voip-gateway.yaml
@ -4,6 +4,8 @@ info:
  name: Detect AddPac Technology GSM VoIP Gateway
  author: geeknik
  severity: info
+  description: |
+    AddPac GSM Gateway solution provides GSM VoIP gateway function from 1 Port up to 80 Ports.
  reference:
    - http://www.addpac.com/addpac_eng2/down.php?file=505_f16.pdf
  tags: network,addpac,apos,voip
--- a/network/detect-rsyncd.yaml
+++ b/network/detect-rsyncd.yaml
@ -4,6 +4,8 @@ info:
  name: Detect rsyncd
  author: vsh00t,geeknik
  severity: info
+  description: |
+    Rsync is a fast and extraordinarily versatile file copying tool. It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon.
  reference:
    - https://linux.die.net/man/1/rsync
  tags: network,rsyncd
--- a/network/expn-mail-detect.yaml
+++ b/network/expn-mail-detect.yaml
@ -4,6 +4,8 @@ info:
  name: EXPN Mail Server Detect
  author: r3dg33k
  severity: info
+  description: |
+    The "EXPN" can be used by attackers to learn about valid usernames on the target system. On some SMTP servers, EXPN can be used to show the subscribers of a mailing list subscription lists are generally considered to be sensitive information.
  tags: mail,expn,network

 network:
@ -19,4 +21,4 @@ network:
    matchers:
      - type: word
        words:
-          - "250-EXPN"
+          - "250-EXPN"
--- a/network/ftp-default-credentials.yaml
+++ b/network/ftp-default-credentials.yaml
@ -5,6 +5,8 @@ info:
  author: pussycat0x
  severity: info
  tags: network,ftp,default-login,service
+  description: |
+    Using the Internet's File Transfer Protocol (FTP), anonymous FTP is a method for giving users access to files so that they don't need to identify themselves to the server.

 network:

--- a/network/gopher-detection.yaml
+++ b/network/gopher-detection.yaml
@ -5,6 +5,8 @@ info:
  author: pry0cc
  severity: info
  tags: network,gopher
+  description: |
+    Gopher is an application-layer protocol that provides the ability to extract and view Web documents stored on remote Web servers.

 network:
  - inputs:
@ -16,4 +18,4 @@ network:
    matchers:
      - type: dsl
        dsl:
-          - "contains(to_lower(raw), 'gopher')"
+          - "contains(to_lower(raw), 'gopher')"
--- a/network/iplanet-imap-detect.yaml
+++ b/network/iplanet-imap-detect.yaml
@ -7,6 +7,8 @@ info:
  metadata:
    fofa-query: app="iPlanet-Messaging-Server-5.2" && protocol="imap"
  tags: network,imap
+  description: |
+    iPlanet Messaging Server is a powerful, standards-based Internet messaging server designed for high-capacity, reliable handling of the messaging needs.

 network:
  - inputs:
--- a/network/java-rmi-detect.yaml
+++ b/network/java-rmi-detect.yaml
@ -5,6 +5,8 @@ info:
  author: F1tz
  severity: info
  tags: network,rmi,java
+  description: |
+    A security vulnerability in the Remote Method Invocation component of the Java Runtime Environment allows unauthenticated network attacks which can result in unauthorized operating system takeover including arbitrary code execution.

 network:
  - inputs:
--- a/network/memcached-stats.yaml
+++ b/network/memcached-stats.yaml
@ -5,6 +5,8 @@ info:
  author: pdteam
  severity: low
  tags: network,memcached
+  description: |
+    Memcached stats is used to return server statistics such as PID, version, connections, etc.

 network:
  - inputs:
@ -18,4 +20,4 @@ network:
    matchers:
      - type: word
        words:
-          - "STAT "
+          - "STAT "
--- a/network/mongodb-detect.yaml
+++ b/network/mongodb-detect.yaml
@ -7,6 +7,8 @@ info:
  reference:
    - https://github.com/orleven/Tentacle
  tags: network,mongodb
+  description: |
+    MongoDB is an open source NoSQL database management program. NoSQL is used as an alternative to traditional relational databases.

 network:
  - inputs:
@ -22,4 +24,4 @@ network:
      - type: word
        words:
          - "logicalSessionTimeout"
-          - "localTime"
+          - "localTime"
--- a/network/openssh-detection.yaml
+++ b/network/openssh-detection.yaml
@ -11,6 +11,9 @@ info:
    - https://nvd.nist.gov/vuln/detail/CVE-2018-15473
    - http://seclists.org/fulldisclosure/2016/Jul/51
  tags: network,ssh,openssh
+  description: |
+    OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.
+

 network:
  - host:
@ -25,4 +28,4 @@ network:
    extractors:
      - type: regex
        regex:
-          - '(?i)SSH-(.*)-OpenSSH_[^\r]+'
+          - '(?i)SSH-(.*)-OpenSSH_[^\r]+'
--- a/network/printers-info-leak.yaml
+++ b/network/printers-info-leak.yaml
@ -7,6 +7,8 @@ info:
  reference:
    - https://book.hacktricks.xyz/pentesting/9100-pjl
  tags: network,iot,printer
+  description: |
+    Unauthorized access to printers allows attackers to print, eavesdrop sensitive documents.

 network:
  - inputs:
--- a/network/rdp-detect.yaml
+++ b/network/rdp-detect.yaml
@ -7,6 +7,8 @@ info:
  metadata:
    verified: true
  tags: network,windows,rdp
+  description: |
+    Remote Desktop Protocol allows users to connect and control remote server easily.

 network:
  - inputs:
--- a/network/sap-router.yaml
+++ b/network/sap-router.yaml
@ -5,6 +5,8 @@ info:
  author: randomstr1ng
  severity: info
  tags: network,sap
+  description: |
+    SAProuter is a software application that provides a remote connection between our customer's network and SAP.

 network:
  - inputs:
@ -19,4 +21,4 @@ network:
    matchers:
      - type: word
        words:
-          - "SAProuter"
+          - "SAProuter"
--- a/network/smb-v1-detection.yaml
+++ b/network/smb-v1-detection.yaml
@ -7,6 +7,8 @@ info:
  reference:
    - https://stealthbits.com/blog/what-is-smbv1-and-why-you-should-disable-it/
  tags: network,windows,smb,service
+  description: |
+    SMB (Server Message Block) is a network-layered protocol mainly used on Windows for sharing files, printers, and communication between network-attached computers. SMB related vulnerabilities can be levaraged to comprimise large-scale systems.

 network:
  - inputs:
@ -20,4 +22,4 @@ network:
    matchers:
      - type: word
        words:
-          - "SMBr"
+          - "SMBr"
--- a/network/smtp-detection.yaml
+++ b/network/smtp-detection.yaml
@ -5,6 +5,8 @@ info:
  author: pussycat0x
  severity: info
  tags: network,service,smtp
+  description: |
+    SMTP is part of the application layer of the TCP/IP protocol. Using a process called “store and forward,” SMTP moves your email on and across networks.

 network:
  - inputs:
--- a/network/starttls-mail-detect.yaml
+++ b/network/starttls-mail-detect.yaml
@ -5,6 +5,8 @@ info:
  author: r3dg33k
  severity: info
  tags: mail,starttls,network
+  description: |
+    STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one.

 network:
  - inputs:
--- a/network/totemomail-smtp-detect.yaml
+++ b/network/totemomail-smtp-detect.yaml
@ -5,6 +5,8 @@ info:
  author: princechaddha
  severity: info
  tags: mail,smtp,network,totemomail
+  description: |
+    Totemomail is a comprehensive email solution designed to address all aspects of digital communication security.

 network:
  - inputs:
--- a/network/unauth-ftp.yaml
+++ b/network/unauth-ftp.yaml
@ -7,6 +7,9 @@ info:
  reference:
    - https://tools.ietf.org/html/rfc2577
  tags: network,ftp
+  description: |
+    Anonymous FTP access allows anyone to access your public_ftp folder, allowing unidentified visitors to download (and possibly upload) files on your website. Anonymous FTP creates the potential for a security hole for hackers and is not recommended.
+

 network:
  - inputs:
@ -20,4 +23,4 @@ network:
      - type: word
        words:
          - "Anonymous access allowed,"
-        part: response
+        part: response
--- a/network/weblogic-iiop-detect.yaml
+++ b/network/weblogic-iiop-detect.yaml
@ -4,8 +4,9 @@ info:
  name: Detect Weblogic IIOP Protocol
  author: F1tz
  severity: info
-  description: Check IIOP protocol status.
  tags: network,weblogic
+  description: |
+    The IIOP (Internet Inter-ORB Protocol) protocol makes it possible for distributed programs written in different programming languages to communicate over the Internet.

 network:
  - inputs:
--- a/network/weblogic-t3-detect.yaml
+++ b/network/weblogic-t3-detect.yaml
@ -4,8 +4,9 @@ info:
  name: Detect Weblogic T3 Protocol
  author: F1tz,milo2012,wdahlenb
  severity: info
-  description: Check T3 protocol status.
  tags: network,weblogic
+  description: |
+    T3 is the protocol used to transport information between WebLogic servers and other types of Java programs.

 network:
  - inputs: