36 lines
896 B
YAML
36 lines
896 B
YAML
id: honeypot-detect
|
|
|
|
info:
|
|
name: Honeypot Detection
|
|
author: j4vaovo
|
|
severity: info
|
|
description: |
|
|
Honeypot was Detected.
|
|
reference:
|
|
- https://github.com/zema1/yarx
|
|
metadata:
|
|
max-request: 1
|
|
tags: honeypot,tech,cti
|
|
variables:
|
|
rand1: "{{randstr}}"
|
|
rand2: "{{rand_int(11111, 99999)}}"
|
|
rand3: "{{randstr}}"
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/?{{rand1}}=../../../../../../../../etc/passwd&{{rand3}}=1%20and%20updatexml(1,concat(0x7e,(select%20md5({{rand2}}))),1)"
|
|
|
|
matchers-condition: or
|
|
matchers:
|
|
- type: regex
|
|
regex:
|
|
- "root:[x*]:0:0"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- '{{md5({{rand2}})}}'
|
|
|
|
# digest: 4a0a0047304502210083990c596350d6c5a038d9bafb347b8548401c473917a664781c9041a263482e02202db480b104a846e016bb209ad90dbfd99b7751eb394184eb1f17af90265ca465:922c64590222798bb761d5b6d8e72950
|