##### # # Copyright (C) 2007 Bjoern Weiland <bjoern-dot-weiland-at-web-dot-de> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### #Ruleset for Honeytrap. Might be a bit noisy, deactivate the rules you don't need #LOG:[2007-05-26 16:48:09] * 22 No bytes received from 157.100.50.58:57701. regex=\* (\d+)\s+No bytes received from (\S+):(\d+).; \ classification.text=Reconnaissance Probe; \ id=40000; \ revision=1; \ analyzer(0).name=Honeytrap; \ analyzer(0).manufacturer=http://honeytrap.mwcollect.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ target(0).service.port=$1; \ #assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.severity=low; \ assessment.impact.description=A connection to honeytrap has been established, but no data was received.; \ last; #LOG:[2007-05-26 16:49:23] * 22 724 bytes attack string from 157.100.50.58:47537. regex=\* (\d+)\s+(\d+) bytes attack string from (\S+):(\d+).; \ classification.text=Attack attempt; \ id=40001; \ revision=1; \ analyzer(0).name=Honeytrap; \ analyzer(0).manufacturer=http://honeytrap.mwcollect.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ target(0).service.port=$1; \ assessment.impact.severity=medium; \ assessment.impact.description=Attack string has been saved; \ additional_data(0).type=integer; \ additional_data(0).meaning=Attack string size; \ additional_data(0).data=$2; \ last; #LOG:[2007-05-26 17:14:30] FTP download - Requesting 'install_58181.exe' from 193.11.129.193:5836. regex=(\S*) download - Requesting '(.*)' from (\S+):(\d+).; \ classification.text=Malware download attempt; \ id=40002; \ revision=1; \ analyzer(0).name=Honeytrap; \ analyzer(0).manufacturer=http://honeytrap.mwcollect.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ #target(0).file(0).name=$2; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=Trying to download Malware via $1; \ additional_data(0).type=string; \ additional_data(0).meaning=Filename; \ additional_data(0).data=$2; \ last;