cscli scenarios install thespad/sshesame-honeypot
Scenarios for sshesame honeypot logs.
1# sshesame bruteforce2type: leaky3name: thespad/sshesame-bf4description: "Detect sshesame bruteforce"5filter: "evt.Meta.log_type == 'sshesame_login'"6leakspeed: "30m"7capacity: 38groupby: evt.Meta.source_ip9blackhole: 1m10labels:11 service: sshesame12 confidence: 313 spoofable: 014 classification:15 - attack.T111016 behavior: "ssh:bruteforce"17 label: "SSHesame Bruteforce"18 remediation: true19---20# sshesame commands21type: trigger22name: thespad/sshesame-cmd23description: "Detect sshesame commands"24filter: "evt.Meta.log_type == 'sshesame_cmd'"25capacity: 026groupby: evt.Meta.source_ip27blackhole: 1m28labels:29 service: sshesame30 type: command31 behavior: "ssh:bruteforce"32 classification:33 - attack.T105934 spoofable: 035 confidence: 336 remediation: true37---38# sshesame input39type: leaky40name: thespad/sshesame-input41description: "Detect sshesame input spam"42filter: "evt.Meta.log_type == 'sshesame_input'"43leakspeed: "5m"44capacity: 545groupby: evt.Meta.source_ip46blackhole: 1m47labels:48 service: sshesame49 behavior: "ssh:bruteforce"50 spoofable: 051 confidence: 352 classification:53 - attack.T105954 remediation: true55