id: dionaea-mqtt-honeypot-detect

info:
  name: Dionaea MQTT Honeypot - Detect
  author: UnaPibaGeek
  severity: info
  description: |
    A Dionaea MQTT honeypot has been identified.
    The response to a MQTTv5 packet differs from real installations, signaling a possible deceptive setup.
  metadata:
    max-request: 1
    product: mqtt
    shodan-query: product:"MQTT"
    vendor: dionaea
    verified: true
  tags: dionaea,mqtt,honeypot,ir,cti,network

tcp:
  - inputs:
      - data: "101000044d5154540502003c032100140000"
        type: hex

    host:
      - "{{Hostname}}"
    port: 1883
    read-size: 1024

    matchers:
      - type: binary
        binary:
          - "20020000"
# digest: 4a0a0047304502207ca41b9211ec28d969cf94bfdc895e675c57ebf96e08edb9f2e26d7f16273dde022100f25194d88c3f7c2534b9f6c2784011a123614aacd228d19e96b659af8c9f2315:922c64590222798bb761d5b6d8e72950