id: dionaea-mysql-honeypot-detect

info:
  name: Dionaea MySQL Honeypot - Detect
  author: UnaPibaGeek
  severity: info
  description: |
    A MySQL honeypot has been identified.
    The response to a connection command differs from real installations, signaling a possible deceptive setup.
  metadata:
    max-request: 1
    product: mysql
    vendor: dionaea
  tags: dionaea,mysql,honeypot,ir,cti,network

tcp:
  - inputs:
      - data: "\x4a\x00\x00\x00\x0a\x35\x2e\x31\x2e\x32\x39\x00\x0b\x00\x00\x00\x21\x3e\x34\x1b\x51\x3f\x34\x33\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

    host:
      - "{{Hostname}}"
    port: 3306
    read-size: 1024

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "5.7.16"

      - type: word
        words:
          - "aaaaaaaa"
# digest: 4b0a00483046022100eb041d1ba42ba51c23e691ea05f46717944ab8dd19b6921b7c14acb089a169f8022100efab67dfab1c44bfd975d2bfdc8a1c8aef6e5e2d58766138ea79c6be10982f35:922c64590222798bb761d5b6d8e72950