nuclei-templates/network/cowrie-honeypot-detect.yaml

33 lines
1.1 KiB
YAML

id: cowrie-honeypot-detect
info:
name: Cowrie SSH Honeypot Detect
author: thesubtlety
severity: info
description: |
Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.
reference:
- https://web.archive.org/web/20170826075224/https://morris.sc/detecting-kippo-ssh-honeypots/
- https://github.com/blazeinfosec/detect-kippo-cowrie/blob/master/detectKippoCowrie.py
- https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/detect_kippo.rb
tags: network,ssh,honeypot
network:
- host:
- '{{Hostname}}'
- '{{Host}}:22'
inputs:
- data: "\n"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'SSH\-([0-9.-A-Za-z_ ]+)'
- type: word
words:
- Invalid SSH identification string