DShield (Cowrie) Honeypot Stats and When Sessions Disconnect, (Mon, Mar 30th)
Summary
DShield honeypots, particularly Cowrie which monitors Telnet and SSH sessions, collect data on bot traffic. Analyzing session duration, commands executed, and disconnection patterns can help differentiate automated bot activity from potentially more sophisticated intrusions and identify if a honeypot has been fingerprinted.
IFF Assessment
FRIEND
This article provides insights into analyzing honeypot data, which directly aids defenders in understanding and identifying malicious activity.
Defender Context
Defenders can leverage insights from honeypot data analysis to better distinguish between routine bot probes and targeted attacks. Understanding session behavior, like early disconnections or specific command sequences, can inform incident response and threat hunting strategies.