wazuh-ruleset Add Cowrie rules

Add Cowrie rules

Open n11dc0la opened this issue 6 years ago • 1 comments

We have great new rule for cowrie honeypot Examples:

{"eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-09-05T14:24:20.903909Z", "message": "login attempt [root/] succeeded", "src_ip": "222.112.82.68", "session": "d051258efd62", "password": "", "sensor": "honeypot-ssh"}



**Phase 1: Completed pre-decoding.
       full event: '{"eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-09-05T14:24:20.903909Z", "message": "login attempt [root/] succeeded", "src_ip": "222.112.82.68", "session": "d051258efd62", "password": "", "sensor": "honeypot-ssh"}'
       timestamp: '(null)'
       hostname: 'wazuh-server'
       program_name: '(null)'
       log: '{"eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-09-05T14:24:20.903909Z", "message": "login attempt [root/] succeeded", "src_ip": "222.112.82.68", "session": "d051258efd62", "password": "", "sensor": "honeypot-ssh"}'

**Phase 2: Completed decoding.
       decoder: 'json'
       eventid: 'cowrie.login.success'
       username: 'root'
       timestamp: '2018-09-05T14:24:20.903909Z'
       message: 'login attempt [root/] succeeded'
       src_ip: '222.112.82.68'
       session: 'd051258efd62'
       password: ''
       sensor: 'honeypot-ssh'

**Phase 3: Completed filtering (rules).
       Rule id: '90010'
       Level: '3'
       Description: 'cowrie login success'
**Alert to be generated.

{"eventid": "cowrie.login.failed", "username": "raspberry", "timestamp": "2018-09-05T13:52:42.584350Z", "message": "login attempt [raspberry/admin] failed", "src_ip": "193.201.224.214", "session": "5d77535d8ac4", "password": "admin", "sensor": "honeypot-ssh"}


**Phase 1: Completed pre-decoding.
       full event: '{"eventid": "cowrie.login.failed", "username": "raspberry", "timestamp": "2018-09-05T13:52:42.584350Z", "message": "login attempt [raspberry/admin] failed", "src_ip": "193.201.224.214", "session": "5d77535d8ac4", "password": "admin", "sensor": "honeypot-ssh"}'
       timestamp: '(null)'
       hostname: 'wazuh-server'
       program_name: '(null)'
       log: '{"eventid": "cowrie.login.failed", "username": "raspberry", "timestamp": "2018-09-05T13:52:42.584350Z", "message": "login attempt [raspberry/admin] failed", "src_ip": "193.201.224.214", "session": "5d77535d8ac4", "password": "admin", "sensor": "honeypot-ssh"}'

**Phase 2: Completed decoding.
       decoder: 'json'
       eventid: 'cowrie.login.failed'
       username: 'raspberry'
       timestamp: '2018-09-05T13:52:42.584350Z'
       message: 'login attempt [raspberry/admin] failed'
       src_ip: '193.201.224.214'
       session: '5d77535d8ac4'
       password: 'admin'
       sensor: 'honeypot-ssh'

**Phase 3: Completed filtering (rules).
       Rule id: '90005'
       Level: '3'
       Description: 'cowrie login failed'
**Alert to be generated.

{"eventid": "cowrie.command.input", "timestamp": "2018-09-05T13:56:32.039222Z", "message": "CMD: ll", "src_ip": "116.227.2.205", "session": "61e431803b56", "input": "ll", "sensor": "honeypot-ssh"}


**Phase 1: Completed pre-decoding.
       full event: '{"eventid": "cowrie.command.input", "timestamp": "2018-09-05T13:56:32.039222Z", "message": "CMD: ll", "src_ip": "116.227.2.205", "session": "61e431803b56", "input": "ll", "sensor": "honeypot-ssh"}'
       timestamp: '(null)'
       hostname: 'wazuh-server'
       program_name: '(null)'
       log: '{"eventid": "cowrie.command.input", "timestamp": "2018-09-05T13:56:32.039222Z", "message": "CMD: ll", "src_ip": "116.227.2.205", "session": "61e431803b56", "input": "ll", "sensor": "honeypot-ssh"}'

**Phase 2: Completed decoding.
       decoder: 'json'
       eventid: 'cowrie.command.input'
       timestamp: '2018-09-05T13:56:32.039222Z'
       message: 'CMD: ll'
       src_ip: '116.227.2.205'
       session: '61e431803b56'
       input: 'll'
       sensor: 'honeypot-ssh'

**Phase 3: Completed filtering (rules).
       Rule id: '90015'
       Level: '5'
       Description: 'cowrie command input'
**Alert to be generated.

{"eventid": "cowrie.client.version", "session": "dd98054a9b17", "timestamp": "2018-09-12T14:18:40.226440Z", "message": "Remote SSH version: 'SSH-2.0-OpenSSH_7.3'", "src_ip": "5.188.86.198", "version": "'SSH-2.0-OpenSSH_7.3'", "sensor": "honeypot-ssh"}


**Phase 1: Completed pre-decoding.
       full event: '{"eventid": "cowrie.client.version", "session": "dd98054a9b17", "timestamp": "2018-09-12T14:18:40.226440Z", "message": "Remote SSH version: 'SSH-2.0-OpenSSH_7.3'", "src_ip": "5.188.86.198", "version": "'SSH-2.0-OpenSSH_7.3'", "sensor": "honeypot-ssh"}'
       timestamp: '(null)'
       hostname: 'wazuh-server'
       program_name: '(null)'
       log: '{"eventid": "cowrie.client.version", "session": "dd98054a9b17", "timestamp": "2018-09-12T14:18:40.226440Z", "message": "Remote SSH version: 'SSH-2.0-OpenSSH_7.3'", "src_ip": "5.188.86.198", "version": "'SSH-2.0-OpenSSH_7.3'", "sensor": "honeypot-ssh"}'

**Phase 2: Completed decoding.
       decoder: 'json'
       eventid: 'cowrie.client.version'
       session: 'dd98054a9b17'
       timestamp: '2018-09-12T14:18:40.226440Z'
       message: 'Remote SSH version: 'SSH-2.0-OpenSSH_7.3''
       src_ip: '5.188.86.198'
       version: ''SSH-2.0-OpenSSH_7.3''
       sensor: 'honeypot-ssh'

**Phase 3: Completed filtering (rules).
       Rule id: '90020'
       Level: '3'
       Description: 'cowrie client version'
**Alert to be generated.

Sep 13 '18 06:09 n11dc0la

Hi @DisMeo,

Thanks for your contribution, we are going to review it and it will be added to the Wazuh ruleset.
Best regards,

Juan Pablo Sáez

May 21 '19 09:05 Zenidd

wazuh-ruleset wazuh-ruleset copied to clipboard

Add Cowrie rules

wazuh-ruleset
wazuh-ruleset copied to clipboard