id: cowrie-honeypot-detect

info:
  name: Cowrie SSH Honeypot Detect
  author: thesubtlety
  severity: info
  description: |
    Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.
  reference:
    - https://web.archive.org/web/20170826075224/https://morris.sc/detecting-kippo-ssh-honeypots/
    - https://github.com/blazeinfosec/detect-kippo-cowrie/blob/master/detectKippoCowrie.py
    - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/detect_kippo.rb
  tags: network,ssh,honeypot,msf

network:
  - host:
      - '{{Hostname}}'
      - '{{Host}}:22'

    inputs:
      - data: "\n"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'SSH\-([0-9.-A-Za-z_ ]+)'

      - type: word
        words:
          - Invalid SSH identification string