1<!-- Rules for Modern Honeypot Network - Cowrie, --> 2 3<!-- IDs: 53830 - 53840 --> 4<!-- include /var/log/mhn/mhn-json.log to ossec.conf --> 5 6<group name="mhn,json"> 7 8 <rule id="53830" level="8"> 9 <decoded_as>cowrie</decoded_as> 10 <action>SSH login attempted on cowrie honeypot</action> 11 <description>SSH login attempted on cowrie honeypot</description> 12 </rule> 13 14 <rule id="53831" level="8"> 15 <decoded_as>cowrie</decoded_as> 16 <action>SSH session on cowrie honeypot</action> 17 <description>SSH session established on cowrie honeypot</description> 18 </rule> 19 20 <rule id="53832" level="8"> 21 <decoded_as>cowrie</decoded_as> 22 <action>command attempted on cowrie honeypot</action> 23 <description>A command was attempted in SSH session on cowrie honeypot</description> 24 </rule> 25 26</group> 27