commit

42001-to-43000-templates/adbhoney-detection-cnxn.yaml

@@ -0,0 +1,30 @@
+id: adbhoney-honeypot-detection
+
+info:
+  name: ADBHoney Honeypot Detection
+  author: UnaPibaGeek
+  severity: info
+  description: |
+    ADBHoney honeypot has been identified.
+    The response to the 'adb connect' command differs from real installations, signaling a possible deceptive setup.
+  metadata:
+    max-request: 4
+    vendor: android
+    product: adb
+  tags: adbhoney,android,adb,honeypot
+
+tcp:
+  - host:
+      - "{{Hostname}}"
+      - "{{Host}}:5555"
+    inputs:
+      - data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # CNXN
+        type: hex
+      - data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73" # CLIENT INFO
+        type: hex
+
+    read-size: 1024
+    matchers:
+      - type: word
+        words:
+          - "device::http://ro.product.name =starltexx;ro.product.model=SM-G960F"

42001-to-43000-templates/adbhoney-detection-shell.yaml

@@ -0,0 +1,34 @@
+id: adbhoney-honeypot-detection-shell
+
+info:
+  name: ADBHoney Honeypot Detection (shell probe)
+  author: UnaPibaGeek
+  severity: info
+  description: |
+    ADBHoney honeypot has been identified.
+    The response to the 'adb shell pwd' command differs from real installations, signaling a possible deceptive setup.
+  metadata:
+    max-request: 4
+    vendor: android
+    product: adb
+  tags: adbhoney,android,adb,honeypot
+
+tcp:
+  - host:
+      - "{{Hostname}}"
+      - "{{Host}}:5555"
+    inputs:
+      - data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # CNXN
+        type: hex
+      - data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73" # CLIENT INFO
+        type: hex
+      - data: "4f50454e6b000000000000000a0000009d030000b0afbab1" # OPEN
+        type: hex
+      - data: "7368656c6c3a70776400" # SHELL: PWD
+        type: hex
+
+    read-size: 1024
+    matchers:
+      - type: binary
+        binary:
+          - "57525445020000006b0000000000000000000000a8adabba"

42001-to-43000-templates/cisco-asa-honeypot-detection.yaml

@@ -0,0 +1,31 @@
+id: cisco-asa-honeypot-detection
+
+info:
+  name: Cisco ASA Honeypot Detection
+  author: UnaPibaGeek
+  severity: info
+  description: |
+    A Cisco ASA honeypot has been identified.
+    The HTTP response reveals a possible setup of the Cisco ASA web application honeypot.
+  metadata:
+    max-request: 2
+    vendor: cisco
+    product: asa
+  tags: cisco,asa,honeypot
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/+CSCOE+/logon.html?fcadbadd=1"
+      - "{{BaseURL}}:8443/+CSCOE+/logon.html?fcadbadd=1"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - '<input style="font-weight: bold; cursor: pointer;" type="submit" name="Login" value="Logon" />'

42001-to-43000-templates/citrix-honeypot-detection.yaml

@@ -0,0 +1,36 @@
+id: citrix-honeypot-detection
+
+info:
+  name: Citrix Honeypot Detection
+  author: UnaPibaGeek
+  severity: info
+  description: |
+    A Citrix honeypot has been identified.
+    The HTTP response reveals a possible setup of the Citrix web application honeypot.
+  metadata:
+    max-request: 2
+    vendor: citrix
+    product: citrix
+  tags: citrix,honeypot
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'len(body)<2000'
+
+      - type: word
+        part: body
+        words:
+          - "<title>Citrix Login</title>"
+
+      - type: word
+        part: body
+        words:
+          - "In order to use our services, you must agree to Citrix's Terms of Service."
+        negative: true

42001-to-43000-templates/conpot-siemens-honeypot-detection.yaml

@@ -0,0 +1,28 @@
+id: conpot-siemens-honeypot-detection
+
+info:
+  name: Conpot (Siemens) Honeypot Detection
+  author: UnaPibaGeek
+  severity: info
+  description: |
+    A Conpot (Siemens) honeypot has been identified.
+    The response to a first packet of a connection attempt differs from real installations, signaling a possible deceptive setup.
+  metadata:
+    max-request: 2
+    vendor: conpot
+    product: siemens
+  tags: conpot,siemens,honeypot
+
+tcp:
+  - host:
+      - "{{Hostname}}"
+      - "{{Host}}:102"
+    inputs:
+      - data: "0300001611e00000000400c1020100c2020102c0010a"
+        type: hex
+
+    read-size: 1024
+    matchers:
+      - type: binary
+        binary:
+          - "030000130ed00000000000c1020000c2020000"

42001-to-43000-templates/cowrie-ssh-honeypot-detection.yaml

@@ -0,0 +1,35 @@
+id: cowrie-ssh-honeypot-detection
+
+info:
+  name: Cowrie SSH Honeypot Detection
+  author: UnaPibaGeek
+  severity: info
+  description: |
+    A Cowrie (or Twisted) SSH honeypot has been identified.
+    The response to a wrong SSH version differs from real installations, signaling a possible deceptive setup.
+  metadata:
+    max-request: 2
+    vendor: cowrie
+    product: ssh
+  tags: cowrie,twisted,ssh,honeypot
+
+tcp:
+  - host:
+      - '{{Hostname}}'
+      - '{{Host}}:22'
+
+    inputs:
+      - data: "SSH-1337-OpenSSH_9.0\r\n"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - 'SSH\-([0-9.-A-Za-z_ ]+)'
+
+      - type: word
+        words:
+          - Protocol major versions differ.
+          - bad version 1337
+        condition: or

42001-to-43000-templates/dionaea-ftp-honeypot-detection.yaml

@@ -0,0 +1,30 @@
+id: dionaea-ftp-honeypot-detection
+
+info:
+  name: Dionaea FTP Honeypot Detection
+  author: UnaPibaGeek
+  severity: info
+  description: |
+    A Dionaea FTP honeypot has been identified.
+    The response to the 'PASS' command differs from real installations, signaling a possible deceptive setup.
+  metadata:
+    max-request: 4
+    vendor: dionaea
+    product: ftp
+  tags: dionaea,ftp,honeypot
+
+tcp:
+  - host:
+      - "{{Hostname}}"
+      - "{{Host}}:21"
+    inputs:
+      - data: "USER root\r\n"
+        read: 1024
+      - data: "PASS \r\n"
+        read: 1024
+
+    read-size: 2048
+    matchers:
+      - type: word
+        words:
+          - "500 Syntax error: PASS requires an argument"

42001-to-43000-templates/dionaea-http-honeypot-detection.yaml

@@ -0,0 +1,36 @@
+id: dionaea-http-honeypot-detection
+
+info:
+  name: Dionaea HTTP Honeypot Detection
+  author: UnaPibaGeek
+  severity: info
+  description: |
+    Dionaea HTTP honeypot has been identified.
+    The response to an incorrect HTTP method reveals a possible setup of the Dioanea web application honeypot.
+  metadata:
+    max-request: 2
+    vendor: dionaea
+    product: http
+  tags: dionaea,http,honeypot
+
+http:
+  - raw:
+      - |
+        AAAA / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 501
+
+      - type: word
+        part: header
+        words:
+          - "nginx"
+
+      - type: word
+        part: body
+        words:
+          - '<?xml version="1.0" encoding="ascii"?>'

42001-to-43000-templates/dionaea-mongodb-honeypot-detection.yaml

@@ -0,0 +1,36 @@
+id: dionaea-mongodb-honeypot-detection
+
+info:
+  name: Dionaea MongoDB Honeypot Detection
+  author: UnaPibaGeek
+  severity: info
+  description: |
+    A MongoDB honeypot has been identified.
+    The response to the 'buildinfo' command differs from real installations, signaling a possible deceptive setup.
+  metadata:
+    max-request: 2
+    product: dionaea
+    vendor: mongodb
+  tags: dionaea,mongodb,honeypot
+
+tcp:
+  - inputs:
+      - data: 3b0000003c300000ffffffffd40700000000000061646d696e2e24636d640000000000ffffffff14000000106275696c64696e666f000100000000
+        type: hex
+
+    host:
+      - "{{Hostname}}"
+      - "{{Host}}:27017"
+    read-size: 2048
+
+    matchers:
+      - type: word
+        part: raw
+        words:
+          - "version"
+        negative: true
+
+    extractors:
+      - type: regex
+        regex:
+          - "([A-Za-z:0-9.]+)"

42001-to-43000-templates/dionaea-mqtt-honeypot-detection.yaml

@@ -0,0 +1,28 @@
+id: dionaea-mqtt-honeypot-detection
+
+info:
+  name: Dionaea MQTT Honeypot Detection
+  author: UnaPibaGeek
+  severity: info
+  description: |
+    A Dionaea MQTT honeypot has been identified.
+    The response to a MQTTv5 packet differs from real installations, signaling a possible deceptive setup.
+  metadata:
+    max-request: 2
+    vendor: dionaea
+    product: mqtt
+  tags: dionaea,mqtt,honeypot
+
+tcp:
+  - host:
+      - "{{Hostname}}"
+      - "{{Host}}:1883"
+    inputs:
+      - data: "101000044d5154540502003c032100140000"
+        type: hex
+
+    read-size: 1024
+    matchers:
+      - type: binary
+        binary:
+          - "20020000"

42001-to-43000-templates/dionaea-mysql-honeypot-detect.yaml

@@ -0,0 +1,33 @@
+id: dionaea-mysql-honeypot-detection
+
+info:
+  name: Dionaea MySQL Honeypot Detection
+  author: UnaPibaGeek
+  severity: info
+  description: |
+    A MySQL honeypot has been identified.
+    The response to a connection command differs from real installations, signaling a possible deceptive setup.
+  metadata:
+    max-request: 2
+    vendor: dionaea
+    product: mysql
+  tags: dionaea,mysql,honeypot
+
+tcp:
+  - inputs:
+      - data: "\x4a\x00\x00\x00\x0a\x35\x2e\x31\x2e\x32\x39\x00\x0b\x00\x00\x00\x21\x3e\x34\x1b\x51\x3f\x34\x33\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+
+    host:
+      - "{{Hostname}}"
+      - "{{Host}}:3306"
+    read-size: 1024
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "5.7.16"
+
+      - type: word
+        words:
+          - "aaaaaaaa"

42001-to-43000-templates/dionaea-smb-honeypot-detection.yaml

@@ -0,0 +1,28 @@
+id: dionaea-smb-honeypot-detection
+
+info:
+  name: Dionaea SMB Honeypot Detection
+  author: UnaPibaGeek
+  severity: info
+  description: |
+    A Dionaea SMB honeypot has been identified.
+    The response to an SMB connection packet differs from real installations, signaling a possible deceptive setup.
+  metadata:
+    max-request: 2
+    vendor: dionaea
+    product: dionaea
+  tags: dionaea,smb,honeypot
+
+tcp:
+  - host:
+      - "{{Hostname}}"
+      - "{{Host}}:445"
+    inputs:
+      - data: "00000045ff534d4272000000000801c8000000000000000000000000ffff0100ffff0000002200024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00"
+        type: hex
+
+    read-size: 1024
+    matchers:
+      - type: binary
+        binary:
+          - "6538547e6c42"