33 lines
1.1 KiB
YAML
33 lines
1.1 KiB
YAML
id: cowrie-honeypot-detect
|
|
|
|
info:
|
|
name: Cowrie SSH Honeypot Detect
|
|
author: thesubtlety
|
|
severity: info
|
|
description: |
|
|
Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.
|
|
reference:
|
|
- https://web.archive.org/web/20170826075224/https://morris.sc/detecting-kippo-ssh-honeypots/
|
|
- https://github.com/blazeinfosec/detect-kippo-cowrie/blob/master/detectKippoCowrie.py
|
|
- https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/detect_kippo.rb
|
|
tags: network,ssh,honeypot
|
|
|
|
network:
|
|
- host:
|
|
- '{{Hostname}}'
|
|
- '{{Host}}:22'
|
|
|
|
inputs:
|
|
- data: "\n"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- 'SSH\-([0-9.-A-Za-z_ ]+)'
|
|
|
|
- type: word
|
|
words:
|
|
- Invalid SSH identification string
|