As I mentioned in a previous blog, Cowrie is a fantastic, easy-to-use honeypot. It captures useful information on port scans and brute-force attempts over SSH and Telnet. This information is provided as an event-based feed. The entries –basically, sets of fields– in the feed are not normalized. This means that entries capture different information, based on the event they record.
Cowrie Events
This is the list of Cowrie event types:
| Event | Description |
|---|---|
| cowrie.client.fingerprint | Attributes of an SSH public key used in the attack |
| cowrie.client.kex | Attributes of the SSH key exchange |
| cowrie.client.size | Width and height of the client window |
| cowrie.client.var | Environment variables in the client environment with their corresponding values |
| cowrie.client.version | Version and identification string of the SSH client |
| cowrie.command.failed | Commands entered by the attacker that were not emulated by the honeypot |
| cowrie.command.input | Commands entered by the attacker |
| cowrie.command.success | Commands entered by the attacker that were emulated by the honeypot |
| cowrie.direct-tcpip.data | Data attempted to be sent through direct TCP/IP forwarding |
| cowrie.direct-tcpip.request | Request for proxying via the honeypot |
| cowrie.log.closed | Recording of a TTYlog session ended |
| cowrie.login.failed | A login attempt failed to authenticate |
| cowrie.login.success | A login attempt successfully authenticated |
| cowrie.session.closed | A session is terminated by either the external entity or the honeypot (timeout) |
| cowrie.session.connect | An external entity (scanner, attacker) starts an connection with the honeypot |
| cowrie.session.file_download | File uploaded to the honeypot with commands like curl |
| cowrie.session.file_download.failed | File that failed to upload to the honeypot |
| cowrie.session.file_upload | File uploaded to the honeypot with commands like sftp or scp |
| cowrie.session.params | Details of the emulated architecture (e.g., linux-x64-lsb) |
| cowrie.virustotal.scanfile | SHA-256 hash of a file sent to VirusTotal for scanning |
| cowrie.virustotal.scanurl | URL of a file sent to VirusTotal for scanning |
Cowrie Fields
Each event type is made of a number of fields. Although a few fields –identified with an asterisk in the table below– are common to all events, most fields are event-specific:
| Field | Description |
|---|---|
| arch | Emulated architecture (e.g., linux-x64-lsb) |
| compCS | Client->server compression algorithms in the SSH key exchange |
| data | Data attempted to be sent through direct TCP/IP forwarding |
| dst_ip | IP address of the honeypot |
| dst_port | Targeted port on the honeypot |
| duplicate | true if a TTYlog file was reused, false otherwise |
| duration | Length of the connection in seconds |
| encCS | Client->server encryption algorithms in the SSH key exchange |
| filename | Name of a file uploaded to the honeypot |
| fingerprint | Fingerprint of an SSH public key used in the attack |
| hassh | MD5 hash of hasshAlgorithms, part of the HASSH network fingerprinting standard used to identify specific SSH implementations |
| hasshAlgorithms | Concatenation of the client->server algorithms in the SSH key exchange |
| height | Height of the windows client used to connect to the honeypot |
| id | Unique identifier within a session of an attempt to send data through direct TCP/IP forwarding |
| input | Sequence of one or more Linux command attempted by the attacker on the remote shell |
| is_new | true if the file or URL submitted to VirusTotal is new (first time), false otherwise |
| kexAlgs | SSH key exchange algorithms |
| keyAlgs | Host key algorithms used by the SSH server |
| key | Content of an SSH public key used in the attack |
| langCS | Client->server language algorithms in the SSH key exchange |
| macCS | Client->server MAC algorithms in the SSH key exchange |
| message* | Human readable message summarizing the information in the event |
| name | Name of a variable (e.g., LANG, LC_ALL) in the client environment |
| outfile | Path in the Cowrie environment to file that was uploaded/downloaded to the honeypot |
| password | Username used in attempt to log into honeypot |
| positives | Number of VirusTotal feed providers that reported a submitted sample as a positive (i.e., suspect or malicious) |
| protocol | In our configuration, either ssh or telnet |
| scan_date | Time of a VirusTotal scan in ISO-8601 format |
scans.vendor.detected |
true if VirusTotal feed provider vendor has information on the submitted sample, false otherwise |
scans.vendor.result |
Result provided by VirusTotal feed provider vendor on the submitted sample |
| sensor* | Name of the system hosting the honeypot |
| session* | Unique session identifier |
| sha256 | SHA-256 hash of a file submitted to VirusTotal for scanning |
| shasum | SHA-256 hash of a file uploaded/downloaded to the honeypot |
| size | Size in bytes of the TTYlog file that captured the sequence of commands in an attack |
| src_ip* | IP address of the external entity (scanner or attacker) interacting with the honeypot |
| src_port | Port of the external entity interacting with the honeypot |
| system* | String containing the protocol, source IP address, and source port |
| timestamp* | Timestamp of the event in ISO-8601 format |
| total | Number of VirusTotal feed providers that reported data on a submitted sample |
| ttylog | Path in the Cowrie environment to a TTYlog file that captured the sequence of commands in an attack |
| type | Type of an SSH public key used in the attack; e.g., ssh-rsa |
| url | URL of a file downloaded to the honeypot or submitted to VirusTotal for scanning |
| username | Username used in attempt to log into honeypot |
| value | Value of a variable (e.g., en_US.UTF-8, C.UTF-8) in the client environment |
| version | Version and identification string of the SSH client; e.g., SSH-2.0-OpenSSH_9.3 |
| width | Width of the windows client used to connect to the honeypot |
Appendix I: Event-to-Field Mapping
| Event | Fields |
|---|---|
| cowrie.client.fingerprint | fingerprint key message* sensor* session* src_ip* system* timestamp* type username |
| cowrie.client.kex | compCS encCS hassh hasshAlgorithms kexAlgs keyAlgs langCS macCS message* sensor* session* src_ip* system* timestamp* |
| cowrie.client.size | height message* sensor* session* src_ip* system* timestamp* width |
| cowrie.client.var | message* name sensor* session* src_ip* system* timestamp* value |
| cowrie.client.version | message* sensor* session* src_ip* system* timestamp* version |
| cowrie.command.failed | input message* sensor* session* src_ip* system* timestamp* |
| cowrie.command.input | input message* sensor* session* src_ip* system* timestamp* |
| cowrie.command.success | input message* sensor* session* src_ip* system* timestamp* |
| cowrie.direct-tcpip.data | data dst_ip dst_port id message* sensor* session* src_ip* system* timestamp* |
| cowrie.direct-tcpip.request | dst_ip dst_port message* sensor* session* src_ip* src_port system* timestamp* |
| cowrie.log.closed | duplicate duration message* sensor* session* shasum size src_ip* system* timestamp* ttylog |
| cowrie.login.failed | message* password sensor* session* src_ip* system* timestamp* username |
| cowrie.login.success | message* password sensor* session* src_ip* system* timestamp* username |
| cowrie.session.connect | dst_ip dst_port message* protocol sensor* session* src_ip* src_port system* timestamp* |
| cowrie.session.closed | duplicate duration>duration message* sensor* session* src_ip* system* timestamp* |
| cowrie.session.file_download | message* outfile sensor* session* shasum src_ip* system* timestamp* url |
| cowrie.session.file_download.failed | message* sensor* session* src_ip* system* timestamp* url |
| cowrie.session.file_upload | filename message* outfile sensor* session* shasum src_ip* system* timestamp* |
| cowrie.session.params | arch message* sensor* session* src_ip* system* timestamp* |
| cowrie.virustotal.scanfile | is_new message* positives scan_date scans. vendor.detectedscans. vendor.resultsensor* session* sha256 src_ip* system* timestamp* total |
| cowrie.virustotal.scanurl | is_new message* positives scan_date scans. vendor.detectedscans. vendor.resultsensor* session* src_ip* system* timestamp* total url |
Appendix II: Field-to-Event Mapping
| Field | Present in Event(s) |
|---|---|
| arch | cowrie.session.params |
| compCS | cowrie.client.kex |
| data | cowrie.direct-tcpip.data |
| dst_ip | cowrie.session.connect cowrie.direct-tcpip.request cowrie.direct-tcpip.data |
| dst_port | cowrie.session.connect cowrie.direct-tcpip.request cowrie.direct-tcpip.data |
| duplicate | cowrie.session.closed cowrie.log.closed |
| duration | cowrie.session.closed cowrie.log.closed |
| encCS | cowrie.client.kex |
| filename | cowrie.session.file_upload |
| fingerprint | cowrie.client.fingerprint |
| hassh | cowrie.client.kex |
| hasshAlgorithms | cowrie.client.kex |
| height | cowrie.client.size |
| id | cowrie.direct-tcpip.data |
| input | cowrie.command.input cowrie.command.failed cowrie.command.success |
| is_new | cowrie.virustotal.scanfile cowrie.virustotal.scanurl |
| kexAlgs | cowrie.client.kex |
| keyAlgs | cowrie.client.kex |
| key | cowrie.client.fingerprint |
| langCS | cowrie.client.kex |
| macCS | cowrie.client.kex |
| message* | cowrie.client.fingerprint cowrie.client.kex cowrie.client.size cowrie.client.var cowrie.client.version cowrie.command.failed cowrie.command.input cowrie.command.success cowrie.direct-tcpip.data cowrie.direct-tcpip.request cowrie.log.closed cowrie.login.failed cowrie.login.success cowrie.session.closed cowrie.session.connect cowrie.session.file_download cowrie.session.file_download.failed cowrie.session.file_upload cowrie.session.params cowrie.virustotal.scanfile cowrie.virustotal.scanurl |
| name | cowrie.client.var |
| outfile | cowrie.session.file_download cowrie.session.file_upload |
| password | cowrie.login.failed cowrie.login.success |
| positives | cowrie.virustotal.scanfile cowrie.virustotal.scanurl |
| protocol | cowrie.session.connect |
| scan_date | cowrie.virustotal.scanfile cowrie.virustotal.scanurl |
scans.vendor.detected |
cowrie.virustotal.scanfile cowrie.virustotal.scanurl |
scans.vendor.result |
cowrie.virustotal.scanfile cowrie.virustotal.scanurl |
| sensor* | cowrie.client.fingerprint cowrie.client.kex cowrie.client.size cowrie.client.var cowrie.client.version cowrie.command.failed cowrie.command.input cowrie.command.success cowrie.direct-tcpip.data cowrie.direct-tcpip.request cowrie.log.closed cowrie.login.failed cowrie.login.success cowrie.session.closed cowrie.session.connect cowrie.session.file_download cowrie.session.file_download.failed cowrie.session.file_upload cowrie.session.params cowrie.virustotal.scanfile cowrie.virustotal.scanurl |
| session* | cowrie.client.fingerprint cowrie.client.kex cowrie.client.size cowrie.client.var cowrie.client.version cowrie.command.failed cowrie.command.input cowrie.command.success cowrie.direct-tcpip.data cowrie.direct-tcpip.request cowrie.log.closed cowrie.login.failed cowrie.login.success cowrie.session.closed cowrie.session.connect cowrie.session.file_download cowrie.session.file_download.failed cowrie.session.file_upload cowrie.session.params cowrie.virustotal.scanfile cowrie.virustotal.scanurl |
| sha256 | cowrie.virustotal.scanfile |
| shasum | cowrie.session.file_download cowrie.session.file_upload cowrie.log.closed |
| size | cowrie.log.closed |
| src_ip* | cowrie.client.fingerprint cowrie.client.kex cowrie.client.size cowrie.client.var cowrie.client.version cowrie.command.failed cowrie.command.input cowrie.command.success cowrie.direct-tcpip.data cowrie.direct-tcpip.request cowrie.log.closed cowrie.login.failed cowrie.login.success cowrie.session.closed cowrie.session.connect cowrie.session.file_download cowrie.session.file_download.failed cowrie.session.file_upload cowrie.session.params cowrie.virustotal.scanfile cowrie.virustotal.scanurl |
| src_port | cowrie.session.connect cowrie.direct-tcpip.request |
| system* | cowrie.client.fingerprint cowrie.client.kex cowrie.client.size cowrie.client.var cowrie.client.version cowrie.command.failed cowrie.command.input cowrie.command.success cowrie.direct-tcpip.data cowrie.direct-tcpip.request cowrie.log.closed cowrie.login.failed cowrie.login.success cowrie.session.closed cowrie.session.connect cowrie.session.file_download cowrie.session.file_download.failed cowrie.session.file_upload cowrie.session.params cowrie.virustotal.scanfile cowrie.virustotal.scanurl |
| timestamp* | cowrie.client.fingerprint cowrie.client.kex cowrie.client.size cowrie.client.var cowrie.client.version cowrie.command.failed cowrie.command.input cowrie.command.success cowrie.direct-tcpip.data cowrie.direct-tcpip.request cowrie.log.closed cowrie.login.failed cowrie.login.success cowrie.session.closed cowrie.session.connect cowrie.session.file_download cowrie.session.file_download.failed cowrie.session.file_upload cowrie.session.params cowrie.virustotal.scanfile cowrie.virustotal.scanurl |
| total | cowrie.virustotal.scanfile cowrie.virustotal.scanurl |
| ttylog | cowrie.log.closed |
| type | cowrie.client.fingerprint |
| url | cowrie.virustotal.scanurl cowrie.session.file_download cowrie.session.file_download.failed |
| username | cowrie.login.failed cowrie.login.success cowrie.client.fingerprint |
| value | cowrie.client.var |
| version | cowrie.client.version |
| width | cowrie.client.size |
Leave a Reply