sshesame-honeypot Scenario

« sshesame-honeypot »
v0.3 by thespad
Attack scenarioremediation:trueservice:sshesamespoofable:0MITRE:T1110confidence:3

Detect sshesame bruteforce

Installation

cscli scenarios install thespad/sshesame-honeypot

Description

Scenarios for sshesame honeypot logs.

All login events: leakspeed of 30m, capacity of 3
Any commands sent by clients as part of a connection attempt will immediately overflow

YAML Configuration

1# sshesame bruteforce
2type: leaky
3name: thespad/sshesame-bf
4description: "Detect sshesame bruteforce"
5filter: "evt.Meta.log_type == 'sshesame_login'"
6leakspeed: "30m"
7capacity: 3
8groupby: evt.Meta.source_ip
9blackhole: 1m
10labels:
11  service: sshesame
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1110
16  behavior: "ssh:bruteforce"
17  label: "SSHesame Bruteforce"
18  remediation: true
19---
20# sshesame commands
21type: trigger
22name: thespad/sshesame-cmd
23description: "Detect sshesame commands"
24filter: "evt.Meta.log_type == 'sshesame_cmd'"
25capacity: 0
26groupby: evt.Meta.source_ip
27blackhole: 1m
28labels:
29  service: sshesame
30  type: command
31  behavior: "ssh:bruteforce"
32  classification:
33    - attack.T1059
34  spoofable: 0
35  confidence: 3
36  remediation: true
37---
38# sshesame input
39type: leaky
40name: thespad/sshesame-input
41description: "Detect sshesame input spam"
42filter: "evt.Meta.log_type == 'sshesame_input'"
43leakspeed: "5m"
44capacity: 5
45groupby: evt.Meta.source_ip
46blackhole: 1m
47labels:
48  service: sshesame
49  behavior: "ssh:bruteforce"
50  spoofable: 0
51  confidence: 3
52  classification:
53    - attack.T1059
54  remediation: true
55

Hub configuration

« sshesame-honeypot »v0.3 by thespadAttack scenarioremediation:trueservice:sshesamespoofable:0MITRE:T1110confidence:3

« sshesame-honeypot »
v0.3 by thespad
Attack scenarioremediation:trueservice:sshesamespoofable:0MITRE:T1110confidence:3