forked from OpenSecureCo/Demos
-
Notifications
You must be signed in to change notification settings - Fork 0
/
HoneypotAlertsToWazuh
47 lines (43 loc) · 1.55 KB
/
HoneypotAlertsToWazuh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<localfile>
<log_format>json</log_format>
<location>/data/cowrie/log/cowrie.json</location>
</localfile>
<localfile>
<log_format>json</log_format>
<location>/data/suricata/log/eve.json</location>
</localfile>
<!-- Group Honeypot Servers -->
<group name="HoneypotServers">
<rule id="100000" level="3">
<if_sid>86601</if_sid>
<hostname>eventuallatex</hostname>
<description>Honeypot - $(alert.signature)</description>
</rule>
</group>
<!-- Group Honeypot Alerts -->
<!-- Honeypot Suricata Alerts -->
<group name="HoneypotAlerts">
<rule id="100014" level="11">
<if_sid>100000</if_sid>
<field name="alert.severity">3</field>
<description>Honeypot Suricata Alert Severity 3 - $(alert.signature). Source IP: $(src_ip). Destination IP: $(dest_ip).</description>
</rule>
<rule id="100015" level="11">
<if_sid>100000</if_sid>
<field name="alert.severity">2</field>
<description>Honeypot Suricata Alert Severity 2 - $(alert.signature). Source IP: $(src_ip). Destination IP: $(dest_ip).</description>
</rule>
<rule id="100016" level="11">
<if_sid>100000</if_sid>
<field name="alert.severity">1</field>
<description>Honeypot Suricata Alert Severity 1 - $(alert.signature). Source IP: $(src_ip). Destination IP: $(dest_ip).</description>
</rule>
</group>
<!-- Honeypot login attempts -->
<group name="HoneypotLogin">
<rule id="100075" level="11">
<decoded_as>json</decoded_as>
<field name="eventid">cowrie.login.failed</field>
<description>$(username) tried to login to honeypot.</description>
</rule>
</group>