networkshard

ShardLure

Attacker identity engine for SSH honeypot telemetry.

About

SSH honeypot that clusters bots by HASSH and username playbook instead of IP. Cowrie + journal ingest, intent classification, live globe dashboard, stealth persona with bait files, and STIX 2.1 IOC export.

Features

Actor clustering by HASSH fingerprint + username taste profiles
7-provider IP enrichment (AbuseIPDB, VirusTotal, GreyNoise, Shodan)
MalwareBazaar payload submission with auto-classification
Live globe dashboard with real-time attack arcs
Stealth persona with bait files and fake services
STIX 2.1 IOC export for threat intelligence sharing

Tech Stack

Go Python SQLite Cowrie HASSH STIX

Enrichment Pipeline

1 SSH session captured via Cowrie / journalctl
2 HASSH fingerprint + username playbook extraction
3 7-provider IP enrichment (AbuseIPDB, VT, GreyNoise, Shodan...)
4 Actor clustering and intent classification
5 STIX 2.1 IOC export + globe dashboard