510 lines
17 KiB
JSON
510 lines
17 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "1",
|
||
|
"date": "2019-05-26",
|
||
|
"extends_uuid": "",
|
||
|
"info": "SMTP attackers honeypot logs for 2019-05-26",
|
||
|
"publish_timestamp": "1558854895",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1558854881",
|
||
|
"uuid": "5cea377f-d36c-48cf-bd54-31ea950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "MalwareMustDie",
|
||
|
"uuid": "569e04b2-efd0-45bd-b83a-4f7b950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00815a",
|
||
|
"name": "honeypot-basic:data-capture=\"attacks\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#009e6f",
|
||
|
"name": "honeypot-basic:containment=\"block\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-f300-4161-a740-972e950d210f",
|
||
|
"value": "141.98.10.41"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-0ac4-4201-8fdd-972e950d210f",
|
||
|
"value": "141.98.10.42"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-4740-4b1d-9827-972e950d210f",
|
||
|
"value": "141.98.10.52"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-7ac0-4a2a-bbe7-972e950d210f",
|
||
|
"value": "141.98.10.53"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-f170-4490-90cf-972e950d210f",
|
||
|
"value": "141.98.80.48"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-e2ec-4c1f-b0ce-972e950d210f",
|
||
|
"value": "142.93.201.146"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-900c-440f-a723-972e950d210f",
|
||
|
"value": "185.137.111.14"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-80c0-4de0-9626-972e950d210f",
|
||
|
"value": "185.137.111.145"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-bb48-4d4d-b8b9-972e950d210f",
|
||
|
"value": "185.137.111.44"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-0ffc-438a-91c6-972e950d210f",
|
||
|
"value": "185.137.111.77"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-5aec-4940-b523-972e950d210f",
|
||
|
"value": "185.211.245.170"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-ba90-4e9d-bdb0-972e950d210f",
|
||
|
"value": "185.211.245.198"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-02c4-40b9-855c-972e950d210f",
|
||
|
"value": "185.222.209.97"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-7398-423d-8c84-972e950d210f",
|
||
|
"value": "185.234.216.220"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-9ee4-4d37-9087-972e950d210f",
|
||
|
"value": "185.234.218.129"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-9f38-4ced-9100-972e950d210f",
|
||
|
"value": "185.234.219.60"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-bf94-48cf-a460-972e950d210f",
|
||
|
"value": "185.36.81.145"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-4cac-45d6-a674-972e950d210f",
|
||
|
"value": "185.36.81.164"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-f860-4f26-a3bf-972e950d210f",
|
||
|
"value": "185.36.81.165"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-81b4-4de8-b44a-972e950d210f",
|
||
|
"value": "185.36.81.166"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-12d8-498f-9acb-972e950d210f",
|
||
|
"value": "185.36.81.168"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-bcfc-4971-b85b-972e950d210f",
|
||
|
"value": "185.36.81.169"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-4bc8-4bca-986d-972e950d210f",
|
||
|
"value": "185.36.81.173"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-b514-419a-bd79-972e950d210f",
|
||
|
"value": "185.36.81.175"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-febc-479a-bbd2-972e950d210f",
|
||
|
"value": "185.36.81.176"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-5480-49da-a5bd-972e950d210f",
|
||
|
"value": "185.36.81.180"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-c0ec-4aaf-b66e-972e950d210f",
|
||
|
"value": "185.36.81.182"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-ec80-49f9-9381-972e950d210f",
|
||
|
"value": "185.36.81.40"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-17b0-4f9c-9baf-972e950d210f",
|
||
|
"value": "185.36.81.55"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-5ab4-4375-a017-972e950d210f",
|
||
|
"value": "185.36.81.58"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-a6b4-462b-8be3-972e950d210f",
|
||
|
"value": "185.36.81.61"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-ed3c-41c7-8f4f-972e950d210f",
|
||
|
"value": "185.36.81.64"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-1d1c-4fe6-9621-972e950d210f",
|
||
|
"value": "192.99.175.117"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-484c-4c8f-b73f-972e950d210f",
|
||
|
"value": "37.49.227.146"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-9064-45d1-b272-972e950d210f",
|
||
|
"value": "45.125.65.77"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-d944-48ed-82f6-972e950d210f",
|
||
|
"value": "45.125.65.84"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-2094-46dc-bcf6-972e950d210f",
|
||
|
"value": "45.125.65.91"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-432c-430f-93fe-972e950d210f",
|
||
|
"value": "45.125.65.96"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-811c-4fc5-8b39-972e950d210f",
|
||
|
"value": "45.13.36.1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-cac4-4a2b-bdb2-972e950d210f",
|
||
|
"value": "45.13.36.22"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-dfb0-4b79-a3ca-972e950d210f",
|
||
|
"value": "45.227.253.107"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-ec68-4670-8ba5-972e950d210f",
|
||
|
"value": "61.173.148.170"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ESMTP SASL Authentication Brute force attacker IP address",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1558853598",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "5cea37de-2800-48c0-a45c-972e950d210f",
|
||
|
"value": "94.177.227.97"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|