Live
← all projects
ShardLure
Attacker identity engine for SSH honeypot telemetry.
About
SSH honeypot that clusters bots by HASSH and username playbook instead of IP. Cowrie + journal ingest, intent classification, live globe dashboard, stealth persona with bait files, and STIX 2.1 IOC export.
Features
Actor clustering by HASSH fingerprint + username taste profiles
7-provider IP enrichment (AbuseIPDB, VirusTotal, GreyNoise, Shodan)
MalwareBazaar payload submission with auto-classification
Live globe dashboard with real-time attack arcs
Stealth persona with bait files and fake services
STIX 2.1 IOC export for threat intelligence sharing
Tech Stack
Go Python SQLite Cowrie HASSH STIX
Enrichment Pipeline
1 SSH session captured via Cowrie / journalctl
2 HASSH fingerprint + username playbook extraction
3 7-provider IP enrichment (AbuseIPDB, VT, GreyNoise, Shodan...)
4 Actor clustering and intent classification
5 STIX 2.1 IOC export + globe dashboard