projects / ossec-hids.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
new upstream release (3.3.0); modify package compatibility for Stretch
[ossec-hids.git] / etc / rules / mhn_cowrie_rules.xml
diff --git a/etc/rules/mhn_cowrie_rules.xml b/etc/rules/mhn_cowrie_rules.xml
new file mode 100644 (file)
index 0000000..d7218b6
--- /dev/null
+++ b/etc/rules/mhn_cowrie_rules.xml
@@ -0,0 +1,26 @@
+<!-- Rules for Modern Honeypot Network - Cowrie, -->
+
+<!-- IDs: 53830 - 53840 -->
+<!-- include /var/log/mhn/mhn-json.log to ossec.conf -->
+
+<group name="mhn,json">
+
+  <rule id="53830" level="8">
+    <decoded_as>cowrie</decoded_as>
+    <action>SSH login attempted on cowrie honeypot</action>
+    <description>SSH login attempted on cowrie honeypot</description>
+  </rule>
+
+  <rule id="53831" level="8">
+    <decoded_as>cowrie</decoded_as>
+    <action>SSH session on cowrie honeypot</action>
+    <description>SSH session established on cowrie honeypot</description>
+  </rule>
+
+  <rule id="53832" level="8">
+    <decoded_as>cowrie</decoded_as>
+    <action>command attempted on cowrie honeypot</action>
+    <description>A command was attempted in SSH session on cowrie honeypot</description>
+  </rule>
+
+</group>
ossec-hids