Project

General

Profile

Bug #244

New LML-Ruleset for Honeytrap - please review

Added by almost 14 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Target version:
Start date:
Due date:
% Done:

0%

Resolution:
fixed

Description

http://honeytrap.mwcollect.org/

#####
#
# Copyright (C) 2007 Bjoern Weiland <bjoern-dot-weiland-at-web-dot-de>
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####

#Ruleset for Honeytrap. Might be a bit noisy, deactivate the rules you dont need

#LOG:[2007-05-26 16:48:09]  * 22       No bytes received from 157.100.50.58:57701.
 regex=\* (\d+)\s+No bytes received from ([\d\.]+):(\d+).; \
 classification.text=Reconnaissance Probe at port $1; \
 id=40000; \
 revision=1; \
 analyzer(0).name=honeytrap; \
 analyzer(0).manufacturer=http://honeytrap.mwcollect.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 source(0).service.port=$3; \
 #target(0).node.address(0).category=ipv4-addr; \
 #target(0).node.address(0).address=$2; \
 target(0).service.port=$1; \
 #assessment.impact.completion=succeeded; \
 assessment.impact.type=recon; \
 assessment.impact.severity=low; \
 assessment.impact.description=A connection to honeytrap has been established. No bytes have been received, though.; \
 last

#LOG:[2007-05-26 16:49:23]  * 22       724 bytes attack string from 157.100.50.58:47537.
 regex=\* (\d+)\s+(\d+) bytes attack string from ([\d\.]+):(\d+).; \
 classification.text=Attack string saved on port $1; \
 id=40001; \
 revision=1; \
 analyzer(0).name=honeytrap; \
 analyzer(0).manufacturer=http://honeytrap.mwcollect.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$3; \
 source(0).service.port=$4; \
 #target(0).node.address(0).category=ipv4-addr; \
 #target(0).node.address(0).address=$2; \
 target(0).service.port=$1; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=recon; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Attack string has been saved; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=Size; \
 additional_data(0).data=$2; \
 last

#LOG:[2007-05-26 17:14:30] FTP download - Requesting 'install_58181.exe' from 193.11.129.193:5836.
 regex=(\S*) download - Requesting '(.*)' from ([\d\.]+):(\d+).; \
 classification.text=Download Attempt via $1; \
 id=40002; \
 revision=1; \
 analyzer(0).name=honeytrap; \
 analyzer(0).manufacturer=http://honeytrap.mwcollect.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$3; \
 source(0).service.port=$4; \
 #target(0).node.address(0).category=ipv4-addr; \
 #target(0).node.address(0).address=$2; \
 #target(0).service.port=$1; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=file; \
 assessment.impact.severity=high; \
 assessment.impact.description=Trying to download Malware; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Filename; \
 additional_data(0).data=$2; \
 last

honeytrap.rules - the actual ruleset as a file (3.55 KB) , 07/06/2007 04:06 PM

Associated revisions

Revision 88a89dbc (diff)
Added by Pierre Chifflier over 13 years ago

Add new ruleset for Honeytrap (Closes #244)
Thanks to Bjoern Weiland for the initial submission.

git-svn-id: file:///home/yoann/dev/prelude/git/nok/SVN/prelude-lml/trunk@10086 09c5ec92-17d4-0310-903a-819935f44dba

History

#1 Updated by Yoann VANDOORSELAERE almost 14 years ago

Great contribution! Some comments from #245 and #246 apply, with additional:

  • Reconnaissance Probe at port $1 -> No variable element should be assigned within the classification (to easily sort / search / store elements). I'd suggest using Reconnaissance Probe.
  • A connection to honeytrap has been established. No bytes have been received, though. wouldn't the following wording be more clear: A connection to honeytrap has been established, but no data was received.
  • additional_data(0).meaning=Size -> Attack string size would be self describing.
  • In rule id 40002, shouldn't the filename be set within IDMEF Target.file?

Hope this help!

#2 Updated by over 13 years ago

I go d'accord with your ideas. I dont have as detailed IDMEF knowledge as you, as for that I am leaving it up to you guys to put the filename into the appropriate IDMEF field ;)

#3 Updated by Pierre Chifflier over 13 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

(In r10086) Add new ruleset for Honeytrap (Closes #244)
Thanks to Bjoern Weiland for the initial submission.

#4 Updated by Yoann VANDOORSELAERE almost 12 years ago

  • Project changed from PRELUDE SIEM to Prelude-LML
  • Category deleted (4)
  • Target version deleted (0.9.11)

Also available in: Atom PDF