From 3b2d611ec210938e8d58848a1902f6411f2e28fd Mon Sep 17 00:00:00 2001
From: Pavel Valach <pavel.valach@cesnet.cz>
Date: Mon, 25 Mar 2024 17:08:07 +0100
Subject: [PATCH] dionaea/log_wardenfiler.py: Fix category when no login is
 attempted

---
 dionaea/log_wardenfiler.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/dionaea/log_wardenfiler.py b/dionaea/log_wardenfiler.py
index bd60dd3..a404869 100644
--- a/dionaea/log_wardenfiler.py
+++ b/dionaea/log_wardenfiler.py
@@ -247,12 +247,14 @@ class LogWardenfilerHandler(ihandler):
             event["Attach"].append(attach)
         else:
             # login without password or similar thing
-            event["Category"].append("Intrusion.UserCompromise")
-            event["Note"] = "Failed login attempt"
+            event["Category"].append("Recon.Scanning")
+            event["Note"] = "Connection"
 
         if len(s["cmds"]):
-            event["Category"].append("Attempt.Exploit")
-            event["Note"] += " with unauthorized command input"
+            # consider this an exploit only if there was a login attempt
+            if len(s["creds"]):
+                event["Category"].append("Attempt.Exploit")
+            event["Note"] += " with command input"
             idata = "\n".join(str(c) for c in s["cmds"])
             plain = all(c in string.printable for c in idata)
             eidata = idata if plain else b64encode(idata.encode()).decode()
-- 
GitLab