-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
17 changed files
with
524 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
id: adbhoney-honeypot-detection | ||
|
||
info: | ||
name: ADBHoney Honeypot Detection | ||
author: UnaPibaGeek | ||
severity: info | ||
description: | | ||
ADBHoney honeypot has been identified. | ||
The response to the 'adb connect' command differs from real installations, signaling a possible deceptive setup. | ||
metadata: | ||
max-request: 4 | ||
vendor: android | ||
product: adb | ||
tags: adbhoney,android,adb,honeypot | ||
|
||
tcp: | ||
- host: | ||
- "{{Hostname}}" | ||
- "{{Host}}:5555" | ||
inputs: | ||
- data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # CNXN | ||
type: hex | ||
- data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73" # CLIENT INFO | ||
type: hex | ||
|
||
read-size: 1024 | ||
matchers: | ||
- type: word | ||
words: | ||
- "device::http://ro.product.name =starltexx;ro.product.model=SM-G960F" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
id: adbhoney-honeypot-detection-shell | ||
|
||
info: | ||
name: ADBHoney Honeypot Detection (shell probe) | ||
author: UnaPibaGeek | ||
severity: info | ||
description: | | ||
ADBHoney honeypot has been identified. | ||
The response to the 'adb shell pwd' command differs from real installations, signaling a possible deceptive setup. | ||
metadata: | ||
max-request: 4 | ||
vendor: android | ||
product: adb | ||
tags: adbhoney,android,adb,honeypot | ||
|
||
tcp: | ||
- host: | ||
- "{{Hostname}}" | ||
- "{{Host}}:5555" | ||
inputs: | ||
- data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # CNXN | ||
type: hex | ||
- data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73" # CLIENT INFO | ||
type: hex | ||
- data: "4f50454e6b000000000000000a0000009d030000b0afbab1" # OPEN | ||
type: hex | ||
- data: "7368656c6c3a70776400" # SHELL: PWD | ||
type: hex | ||
|
||
read-size: 1024 | ||
matchers: | ||
- type: binary | ||
binary: | ||
- "57525445020000006b0000000000000000000000a8adabba" |
31 changes: 31 additions & 0 deletions
31
42001-to-43000-templates/cisco-asa-honeypot-detection.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
id: cisco-asa-honeypot-detection | ||
|
||
info: | ||
name: Cisco ASA Honeypot Detection | ||
author: UnaPibaGeek | ||
severity: info | ||
description: | | ||
A Cisco ASA honeypot has been identified. | ||
The HTTP response reveals a possible setup of the Cisco ASA web application honeypot. | ||
metadata: | ||
max-request: 2 | ||
vendor: cisco | ||
product: asa | ||
tags: cisco,asa,honeypot | ||
|
||
http: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}/+CSCOE+/logon.html?fcadbadd=1" | ||
- "{{BaseURL}}:8443/+CSCOE+/logon.html?fcadbadd=1" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
part: body | ||
words: | ||
- '<input style="font-weight: bold; cursor: pointer;" type="submit" name="Login" value="Logon" />' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
id: citrix-honeypot-detection | ||
|
||
info: | ||
name: Citrix Honeypot Detection | ||
author: UnaPibaGeek | ||
severity: info | ||
description: | | ||
A Citrix honeypot has been identified. | ||
The HTTP response reveals a possible setup of the Citrix web application honeypot. | ||
metadata: | ||
max-request: 2 | ||
vendor: citrix | ||
product: citrix | ||
tags: citrix,honeypot | ||
|
||
http: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: dsl | ||
dsl: | ||
- 'len(body)<2000' | ||
|
||
- type: word | ||
part: body | ||
words: | ||
- "<title>Citrix Login</title>" | ||
|
||
- type: word | ||
part: body | ||
words: | ||
- "In order to use our services, you must agree to Citrix's Terms of Service." | ||
negative: true |
28 changes: 28 additions & 0 deletions
28
42001-to-43000-templates/conpot-siemens-honeypot-detection.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
id: conpot-siemens-honeypot-detection | ||
|
||
info: | ||
name: Conpot (Siemens) Honeypot Detection | ||
author: UnaPibaGeek | ||
severity: info | ||
description: | | ||
A Conpot (Siemens) honeypot has been identified. | ||
The response to a first packet of a connection attempt differs from real installations, signaling a possible deceptive setup. | ||
metadata: | ||
max-request: 2 | ||
vendor: conpot | ||
product: siemens | ||
tags: conpot,siemens,honeypot | ||
|
||
tcp: | ||
- host: | ||
- "{{Hostname}}" | ||
- "{{Host}}:102" | ||
inputs: | ||
- data: "0300001611e00000000400c1020100c2020102c0010a" | ||
type: hex | ||
|
||
read-size: 1024 | ||
matchers: | ||
- type: binary | ||
binary: | ||
- "030000130ed00000000000c1020000c2020000" |
35 changes: 35 additions & 0 deletions
35
42001-to-43000-templates/cowrie-ssh-honeypot-detection.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
id: cowrie-ssh-honeypot-detection | ||
|
||
info: | ||
name: Cowrie SSH Honeypot Detection | ||
author: UnaPibaGeek | ||
severity: info | ||
description: | | ||
A Cowrie (or Twisted) SSH honeypot has been identified. | ||
The response to a wrong SSH version differs from real installations, signaling a possible deceptive setup. | ||
metadata: | ||
max-request: 2 | ||
vendor: cowrie | ||
product: ssh | ||
tags: cowrie,twisted,ssh,honeypot | ||
|
||
tcp: | ||
- host: | ||
- '{{Hostname}}' | ||
- '{{Host}}:22' | ||
|
||
inputs: | ||
- data: "SSH-1337-OpenSSH_9.0\r\n" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: regex | ||
part: body | ||
regex: | ||
- 'SSH\-([0-9.-A-Za-z_ ]+)' | ||
|
||
- type: word | ||
words: | ||
- Protocol major versions differ. | ||
- bad version 1337 | ||
condition: or |
30 changes: 30 additions & 0 deletions
30
42001-to-43000-templates/dionaea-ftp-honeypot-detection.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
id: dionaea-ftp-honeypot-detection | ||
|
||
info: | ||
name: Dionaea FTP Honeypot Detection | ||
author: UnaPibaGeek | ||
severity: info | ||
description: | | ||
A Dionaea FTP honeypot has been identified. | ||
The response to the 'PASS' command differs from real installations, signaling a possible deceptive setup. | ||
metadata: | ||
max-request: 4 | ||
vendor: dionaea | ||
product: ftp | ||
tags: dionaea,ftp,honeypot | ||
|
||
tcp: | ||
- host: | ||
- "{{Hostname}}" | ||
- "{{Host}}:21" | ||
inputs: | ||
- data: "USER root\r\n" | ||
read: 1024 | ||
- data: "PASS \r\n" | ||
read: 1024 | ||
|
||
read-size: 2048 | ||
matchers: | ||
- type: word | ||
words: | ||
- "500 Syntax error: PASS requires an argument" |
36 changes: 36 additions & 0 deletions
36
42001-to-43000-templates/dionaea-http-honeypot-detection.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
id: dionaea-http-honeypot-detection | ||
|
||
info: | ||
name: Dionaea HTTP Honeypot Detection | ||
author: UnaPibaGeek | ||
severity: info | ||
description: | | ||
Dionaea HTTP honeypot has been identified. | ||
The response to an incorrect HTTP method reveals a possible setup of the Dioanea web application honeypot. | ||
metadata: | ||
max-request: 2 | ||
vendor: dionaea | ||
product: http | ||
tags: dionaea,http,honeypot | ||
|
||
http: | ||
- raw: | ||
- | | ||
AAAA / HTTP/1.1 | ||
Host: {{Hostname}} | ||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 501 | ||
|
||
- type: word | ||
part: header | ||
words: | ||
- "nginx" | ||
|
||
- type: word | ||
part: body | ||
words: | ||
- '<?xml version="1.0" encoding="ascii"?>' |
36 changes: 36 additions & 0 deletions
36
42001-to-43000-templates/dionaea-mongodb-honeypot-detection.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
id: dionaea-mongodb-honeypot-detection | ||
|
||
info: | ||
name: Dionaea MongoDB Honeypot Detection | ||
author: UnaPibaGeek | ||
severity: info | ||
description: | | ||
A MongoDB honeypot has been identified. | ||
The response to the 'buildinfo' command differs from real installations, signaling a possible deceptive setup. | ||
metadata: | ||
max-request: 2 | ||
product: dionaea | ||
vendor: mongodb | ||
tags: dionaea,mongodb,honeypot | ||
|
||
tcp: | ||
- inputs: | ||
- data: 3b0000003c300000ffffffffd40700000000000061646d696e2e24636d640000000000ffffffff14000000106275696c64696e666f000100000000 | ||
type: hex | ||
|
||
host: | ||
- "{{Hostname}}" | ||
- "{{Host}}:27017" | ||
read-size: 2048 | ||
|
||
matchers: | ||
- type: word | ||
part: raw | ||
words: | ||
- "version" | ||
negative: true | ||
|
||
extractors: | ||
- type: regex | ||
regex: | ||
- "([A-Za-z:0-9.]+)" |
28 changes: 28 additions & 0 deletions
28
42001-to-43000-templates/dionaea-mqtt-honeypot-detection.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
id: dionaea-mqtt-honeypot-detection | ||
|
||
info: | ||
name: Dionaea MQTT Honeypot Detection | ||
author: UnaPibaGeek | ||
severity: info | ||
description: | | ||
A Dionaea MQTT honeypot has been identified. | ||
The response to a MQTTv5 packet differs from real installations, signaling a possible deceptive setup. | ||
metadata: | ||
max-request: 2 | ||
vendor: dionaea | ||
product: mqtt | ||
tags: dionaea,mqtt,honeypot | ||
|
||
tcp: | ||
- host: | ||
- "{{Hostname}}" | ||
- "{{Host}}:1883" | ||
inputs: | ||
- data: "101000044d5154540502003c032100140000" | ||
type: hex | ||
|
||
read-size: 1024 | ||
matchers: | ||
- type: binary | ||
binary: | ||
- "20020000" |
33 changes: 33 additions & 0 deletions
33
42001-to-43000-templates/dionaea-mysql-honeypot-detect.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
id: dionaea-mysql-honeypot-detection | ||
|
||
info: | ||
name: Dionaea MySQL Honeypot Detection | ||
author: UnaPibaGeek | ||
severity: info | ||
description: | | ||
A MySQL honeypot has been identified. | ||
The response to a connection command differs from real installations, signaling a possible deceptive setup. | ||
metadata: | ||
max-request: 2 | ||
vendor: dionaea | ||
product: mysql | ||
tags: dionaea,mysql,honeypot | ||
|
||
tcp: | ||
- inputs: | ||
- data: "\x4a\x00\x00\x00\x0a\x35\x2e\x31\x2e\x32\x39\x00\x0b\x00\x00\x00\x21\x3e\x34\x1b\x51\x3f\x34\x33\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | ||
|
||
host: | ||
- "{{Hostname}}" | ||
- "{{Host}}:3306" | ||
read-size: 1024 | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- "5.7.16" | ||
|
||
- type: word | ||
words: | ||
- "aaaaaaaa" |
28 changes: 28 additions & 0 deletions
28
42001-to-43000-templates/dionaea-smb-honeypot-detection.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
id: dionaea-smb-honeypot-detection | ||
|
||
info: | ||
name: Dionaea SMB Honeypot Detection | ||
author: UnaPibaGeek | ||
severity: info | ||
description: | | ||
A Dionaea SMB honeypot has been identified. | ||
The response to an SMB connection packet differs from real installations, signaling a possible deceptive setup. | ||
metadata: | ||
max-request: 2 | ||
vendor: dionaea | ||
product: dionaea | ||
tags: dionaea,smb,honeypot | ||
|
||
tcp: | ||
- host: | ||
- "{{Hostname}}" | ||
- "{{Host}}:445" | ||
inputs: | ||
- data: "00000045ff534d4272000000000801c8000000000000000000000000ffff0100ffff0000002200024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00" | ||
type: hex | ||
|
||
read-size: 1024 | ||
matchers: | ||
- type: binary | ||
binary: | ||
- "6538547e6c42" |
Oops, something went wrong.