sshesame-honeypot Scenario

« sshesame-honeypot »
v0.4 by thespad
Attack scenarioremediation:trueservice:sshesamespoofable:0MITRE:T1110confidence:3

Detect sshesame bruteforce

Installation

cscli scenarios install thespad/sshesame-honeypot

Description

Scenarios for sshesame honeypot logs.

All login events: leakspeed of 30m, capacity of 3
Any commands sent by clients as part of a connection attempt will immediately overflow

YAML Configuration

1# sshesame bruteforce
2type: leaky
3name: thespad/sshesame-bf
4description: "Detect sshesame bruteforce"
5filter: "evt.Meta.log_type == 'sshesame_login'"
6leakspeed: "30m"
7capacity: 3
8groupby: evt.Meta.source_ip
9blackhole: 1m
10labels:
11  service: sshesame
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1110
16  behavior: "ssh:bruteforce"
17  label: "SSHesame Bruteforce"
18  remediation: true
19---
20# sshesame commands
21type: trigger
22name: thespad/sshesame-cmd
23description: "Detect sshesame commands"
24filter: "evt.Meta.log_type == 'sshesame_cmd'"
25groupby: evt.Meta.source_ip
26blackhole: 1m
27labels:
28  service: sshesame
29  type: command
30  behavior: "ssh:bruteforce"
31  classification:
32    - attack.T1059
33  spoofable: 0
34  confidence: 3
35  remediation: true
36---
37# sshesame input
38type: leaky
39name: thespad/sshesame-input
40description: "Detect sshesame input spam"
41filter: "evt.Meta.log_type == 'sshesame_input'"
42leakspeed: "5m"
43capacity: 5
44groupby: evt.Meta.source_ip
45blackhole: 1m
46labels:
47  service: sshesame
48  behavior: "ssh:bruteforce"
49  spoofable: 0
50  confidence: 3
51  classification:
52    - attack.T1059
53  remediation: true
54

Hub configuration

« sshesame-honeypot »v0.4 by thespadAttack scenarioremediation:trueservice:sshesamespoofable:0MITRE:T1110confidence:3

« sshesame-honeypot »
v0.4 by thespad
Attack scenarioremediation:trueservice:sshesamespoofable:0MITRE:T1110confidence:3