New LML-Ruleset for Kojoney SSH Honeypot - please review
#1 Updated by Yoann VANDOORSELAERE almost 14 years ago
Thanks for this contribution!
Here are a few comments concerning the ruleset. Once the following issues are discussed and/or fixed, we will be able to include this ruleset within the LML distribution.
- In case the software might report Ipv6 attack, it would be best to match the IP address using (\S+), and leaving address.category unspecified (Prelude-Manager Normalizer will take care of setting it appropriately).
- Instead of setting the login within [[AdditionalData]], did you investigate whether setting it within target User/UserID (with category set to os-device) would be appropriate?
- commandline should probably be spelled command line
- (executing .*|COMMAND .*): The command is an interesting information that should be captured and assigned within an IDMEF field. Additionally, in case where executing is matched, you might want to set the target.process entry with the name of the process (and the path, if you are able to retrieve it).
- Saved the file .*: No need for the wildcard here, you can just use:
\[SSHChannel session \(\d+\) on SSHService ssh-connection on SSHServerTransport,\d+,([\d\.]+)\] Saved the file
- Additionally, is there any reason you don't assign the saved filename information within the IDMEF message?
- In all Kojoney log messages, what does the number following SSHServerTransport correspond to (example: SSHServerTransport,*3*)?
Hope this help,
#2 Updated by over 13 years ago
- No Ipv6 here, either
- The Login may be set within the mentioned field, as I said, currently I cannot test it as our systems are down. If you feel this would be the right place to put it, why not... I dont know where it would appear in Prelude though
- Command line spelling can be changed
- Command should be assigned to which IDMEF field?
- There is a reason why i dont assign the saved filename, as it is getting obfuscated and does not relly look nice. One could think about it, though. Looks like http+_evilserver_xhost_ro_e_tgz300
- The number in the log messages is some kind of ID, just an continuously increasing numbver for each connect