1 <!-- Rules for Modern Honeypot Network - Cowrie, -->
3 <!-- IDs: 53830 - 53840 -->
4 <!-- include /var/log/mhn/mhn-json.log to ossec.conf -->
6 <group name="mhn,json">
8 <rule id="53830" level="8">
9 <decoded_as>cowrie</decoded_as>
10 <action>SSH login attempted on cowrie honeypot</action>
11 <description>SSH login attempted on cowrie honeypot</description>
14 <rule id="53831" level="8">
15 <decoded_as>cowrie</decoded_as>
16 <action>SSH session on cowrie honeypot</action>
17 <description>SSH session established on cowrie honeypot</description>
20 <rule id="53832" level="8">
21 <decoded_as>cowrie</decoded_as>
22 <action>command attempted on cowrie honeypot</action>
23 <description>A command was attempted in SSH session on cowrie honeypot</description>