From 3b2d611ec210938e8d58848a1902f6411f2e28fd Mon Sep 17 00:00:00 2001 From: Pavel Valach <pavel.valach@cesnet.cz> Date: Mon, 25 Mar 2024 17:08:07 +0100 Subject: [PATCH] dionaea/log_wardenfiler.py: Fix category when no login is attempted --- dionaea/log_wardenfiler.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/dionaea/log_wardenfiler.py b/dionaea/log_wardenfiler.py index bd60dd3..a404869 100644 --- a/dionaea/log_wardenfiler.py +++ b/dionaea/log_wardenfiler.py @@ -247,12 +247,14 @@ class LogWardenfilerHandler(ihandler): event["Attach"].append(attach) else: # login without password or similar thing - event["Category"].append("Intrusion.UserCompromise") - event["Note"] = "Failed login attempt" + event["Category"].append("Recon.Scanning") + event["Note"] = "Connection" if len(s["cmds"]): - event["Category"].append("Attempt.Exploit") - event["Note"] += " with unauthorized command input" + # consider this an exploit only if there was a login attempt + if len(s["creds"]): + event["Category"].append("Attempt.Exploit") + event["Note"] += " with command input" idata = "\n".join(str(c) for c in s["cmds"]) plain = all(c in string.printable for c in idata) eidata = idata if plain else b64encode(idata.encode()).decode() -- GitLab