{"id":227,"date":"2023-07-29T12:49:01","date_gmt":"2023-07-29T19:49:01","guid":{"rendered":"https:\/\/francisco.x10.bz\/blog\/?p=227"},"modified":"2025-01-13T09:43:34","modified_gmt":"2025-01-13T17:43:34","slug":"understanding-the-cowrie-feed","status":"publish","type":"post","link":"https:\/\/defrancisco.us\/blog\/index.php\/2023\/07\/29\/understanding-the-cowrie-feed\/","title":{"rendered":"Understanding the Cowrie Feed"},"content":{"rendered":"

As I mentioned in a previous blog<\/a>, Cowrie is a fantastic, easy-to-use honeypot. It captures useful information on port scans and brute-force attempts over SSH and Telnet. This information is provided as an event-based feed. The entries –basically, sets of fields– in the feed are not normalized. This means that entries capture different information, based on the event they record.<\/p>\n

Cowrie Events<\/h2>\n

This is the list of Cowrie event types:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Event<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
cowrie.client.fingerprint<\/td>\nAttributes of an SSH public key used in the attack<\/td>\n<\/tr>\n
cowrie.client.kex<\/td>\nAttributes of the SSH key exchange<\/td>\n<\/tr>\n
cowrie.client.size<\/td>\nWidth and height of the client window<\/td>\n<\/tr>\n
cowrie.client.var<\/td>\nEnvironment variables in the client environment with their corresponding values<\/td>\n<\/tr>\n
cowrie.client.version<\/td>\nVersion and identification string of the SSH client<\/td>\n<\/tr>\n
cowrie.command.failed<\/td>\nCommands entered by the attacker that were not emulated by the honeypot<\/td>\n<\/tr>\n
cowrie.command.input<\/td>\nCommands entered by the attacker<\/td>\n<\/tr>\n
cowrie.command.success<\/td>\nCommands entered by the attacker that were emulated by the honeypot<\/td>\n<\/tr>\n
cowrie.direct-tcpip.data<\/td>\nData attempted to be sent through direct TCP\/IP forwarding<\/td>\n<\/tr>\n
cowrie.direct-tcpip.request<\/td>\nRequest for proxying via the honeypot<\/td>\n<\/tr>\n
cowrie.log.closed<\/td>\nRecording of a TTYlog session ended<\/td>\n<\/tr>\n
cowrie.login.failed<\/td>\nA login attempt failed to authenticate<\/td>\n<\/tr>\n
cowrie.login.success<\/td>\nA login attempt successfully authenticated<\/td>\n<\/tr>\n
cowrie.session.closed<\/td>\nA session is terminated by either the external entity or the honeypot (timeout)<\/td>\n<\/tr>\n
cowrie.session.connect<\/td>\nAn external entity (scanner, attacker) starts an connection with the honeypot<\/td>\n<\/tr>\n
cowrie.session.file_download<\/td>\nFile uploaded to the honeypot with commands like curl<\/code><\/td>\n<\/tr>\n
cowrie.session.file_download.failed<\/td>\nFile that failed to upload to the honeypot<\/td>\n<\/tr>\n
cowrie.session.file_upload<\/td>\nFile uploaded to the honeypot with commands like sftp<\/code> or scp<\/code><\/td>\n<\/tr>\n
cowrie.session.params<\/td>\nDetails of the emulated architecture (e.g., linux-x64-lsb)<\/td>\n<\/tr>\n
cowrie.virustotal.scanfile<\/td>\nSHA-256 hash of a file sent to VirusTotal for scanning<\/td>\n<\/tr>\n
cowrie.virustotal.scanurl<\/td>\nURL of a file sent to VirusTotal for scanning<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Cowrie Fields<\/h2>\n

Each event type is made of a number of fields. Although a few fields –identified with an asterisk in the table below– are common to all events, most fields are event-specific:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Field<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
arch<\/td>\nEmulated architecture (e.g., linux-x64-lsb<\/code>)<\/td>\n<\/tr>\n
compCS<\/td>\nClient->server compression algorithms in the SSH key exchange<\/td>\n<\/tr>\n
data<\/td>\nData attempted to be sent through direct TCP\/IP forwarding<\/td>\n<\/tr>\n
dst_ip<\/td>\nIP address of the honeypot<\/td>\n<\/tr>\n
dst_port<\/td>\nTargeted port on the honeypot<\/td>\n<\/tr>\n
duplicate<\/td>\ntrue<\/code> if a TTYlog file was reused, false<\/code> otherwise<\/td>\n<\/tr>\n
duration<\/td>\nLength of the connection in seconds<\/td>\n<\/tr>\n
encCS<\/td>\nClient->server encryption algorithms in the SSH key exchange<\/td>\n<\/tr>\n
filename<\/td>\nName of a file uploaded to the honeypot<\/td>\n<\/tr>\n
fingerprint<\/td>\nFingerprint of an SSH public key used in the attack<\/td>\n<\/tr>\n
hassh<\/td>\nMD5 hash of hasshAlgorithms<\/code>, part of the HASSH network fingerprinting standard used to identify specific SSH implementations<\/td>\n<\/tr>\n
hasshAlgorithms<\/td>\nConcatenation of the client->server algorithms in the SSH key exchange<\/td>\n<\/tr>\n
height<\/td>\nHeight of the windows client used to connect to the honeypot<\/td>\n<\/tr>\n
id<\/td>\nUnique identifier within a session of an attempt to send data through direct TCP\/IP forwarding<\/td>\n<\/tr>\n
input<\/td>\nSequence of one or more Linux command attempted by the attacker on the remote shell<\/td>\n<\/tr>\n
is_new<\/td>\ntrue<\/code> if the file or URL submitted to VirusTotal is new (first time), false<\/code> otherwise<\/td>\n<\/tr>\n
kexAlgs<\/td>\nSSH key exchange algorithms<\/td>\n<\/tr>\n
keyAlgs<\/td>\nHost key algorithms used by the SSH server<\/td>\n<\/tr>\n
key<\/td>\nContent of an SSH public key used in the attack<\/td>\n<\/tr>\n
langCS<\/td>\nClient->server language algorithms in the SSH key exchange<\/td>\n<\/tr>\n
macCS<\/td>\nClient->server MAC algorithms in the SSH key exchange<\/td>\n<\/tr>\n
message*<\/td>\nHuman readable message summarizing the information in the event<\/td>\n<\/tr>\n
name<\/td>\nName of a variable (e.g., LANG<\/code>, LC_ALL<\/code>) in the client environment<\/td>\n<\/tr>\n
outfile<\/td>\nPath in the Cowrie environment to file that was uploaded\/downloaded to the honeypot<\/td>\n<\/tr>\n
password<\/td>\nUsername used in attempt to log into honeypot<\/td>\n<\/tr>\n
positives<\/td>\nNumber of VirusTotal feed providers that reported a submitted sample as a positive (i.e., suspect or malicious)<\/td>\n<\/tr>\n
protocol<\/td>\nIn our configuration, either ssh<\/code> or telnet<\/code><\/td>\n<\/tr>\n
scan_date<\/td>\nTime of a VirusTotal scan in ISO-8601 format<\/td>\n<\/tr>\n
scans.vendor<\/code>.detected<\/td>\ntrue<\/code> if VirusTotal feed provider vendor<\/code> has information on the submitted sample, false<\/code> otherwise<\/td>\n<\/tr>\n
scans.vendor<\/code>.result<\/td>\nResult provided by VirusTotal feed provider vendor<\/code> on the submitted sample<\/td>\n<\/tr>\n
sensor*<\/td>\nName of the system hosting the honeypot<\/td>\n<\/tr>\n
session*<\/td>\nUnique session identifier<\/td>\n<\/tr>\n
sha256<\/td>\nSHA-256 hash of a file submitted to VirusTotal for scanning<\/td>\n<\/tr>\n
shasum<\/td>\nSHA-256 hash of a file uploaded\/downloaded to the honeypot<\/td>\n<\/tr>\n
size<\/td>\nSize in bytes of the TTYlog file that captured the sequence of commands in an attack<\/td>\n<\/tr>\n
src_ip*<\/td>\nIP address of the external entity (scanner or attacker) interacting with the honeypot<\/td>\n<\/tr>\n
src_port<\/td>\nPort of the external entity interacting with the honeypot<\/td>\n<\/tr>\n
system*<\/td>\nString containing the protocol, source IP address, and source port<\/td>\n<\/tr>\n
timestamp*<\/td>\nTimestamp of the event in ISO-8601 format<\/td>\n<\/tr>\n
total<\/td>\nNumber of VirusTotal feed providers that reported data on a submitted sample<\/td>\n<\/tr>\n
ttylog<\/td>\nPath in the Cowrie environment to a TTYlog file that captured the sequence of commands in an attack<\/td>\n<\/tr>\n
type<\/td>\nType of an SSH public key used in the attack; e.g., ssh-rsa<\/code><\/td>\n<\/tr>\n
url<\/td>\nURL of a file downloaded to the honeypot or submitted to VirusTotal for scanning<\/td>\n<\/tr>\n
username<\/td>\nUsername used in attempt to log into honeypot<\/td>\n<\/tr>\n
value<\/td>\nValue of a variable (e.g., en_US.UTF-8<\/code>, C.UTF-8<\/code>) in the client environment<\/td>\n<\/tr>\n
version<\/td>\nVersion and identification string of the SSH client; e.g., SSH-2.0-OpenSSH_9.3<\/code><\/td>\n<\/tr>\n
width<\/td>\nWidth of the windows client used to connect to the honeypot<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Appendix I: Event-to-Field Mapping<\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Event<\/th>\nFields<\/th>\n<\/tr>\n<\/thead>\n
cowrie.client.fingerprint<\/td>\nfingerprint
key
message*
sensor*
session*
src_ip*
system*
timestamp*
type
username<\/td>\n<\/tr>\n
cowrie.client.kex<\/td>\ncompCS
encCS
hassh
hasshAlgorithms
kexAlgs
keyAlgs
langCS
macCS
message*
sensor*
session*
src_ip*
system*
timestamp*<\/td>\n<\/tr>\n
cowrie.client.size<\/td>\nheight
message*
sensor*
session*
src_ip*
system*
timestamp*
width<\/td>\n<\/tr>\n
cowrie.client.var<\/td>\nmessage*
name
sensor*
session*
src_ip*
system*
timestamp*
value<\/td>\n<\/tr>\n
cowrie.client.version<\/td>\nmessage*
sensor*
session*
src_ip*
system*
timestamp*
version<\/td>\n<\/tr>\n
cowrie.command.failed<\/td>\ninput
message*
sensor*
session*
src_ip*
system*
timestamp*<\/td>\n<\/tr>\n
cowrie.command.input<\/td>\ninput
message*
sensor*
session*
src_ip*
system*
timestamp*<\/td>\n<\/tr>\n
cowrie.command.success<\/td>\ninput
message*
sensor*
session*
src_ip*
system*
timestamp*<\/td>\n<\/tr>\n
cowrie.direct-tcpip.data<\/td>\ndata
dst_ip
dst_port
id
message*
sensor*
session*
src_ip*
system*
timestamp*<\/td>\n<\/tr>\n
cowrie.direct-tcpip.request<\/td>\ndst_ip
dst_port
message*
sensor*
session*
src_ip*
src_port
system*
timestamp*<\/td>\n<\/tr>\n
cowrie.log.closed<\/td>\nduplicate
duration
message*
sensor*
session*
shasum
size
src_ip*
system*
timestamp*
ttylog<\/td>\n<\/tr>\n
cowrie.login.failed<\/td>\nmessage*
password
sensor*
session*
src_ip*
system*
timestamp*
username<\/td>\n<\/tr>\n
cowrie.login.success<\/td>\nmessage*
password
sensor*
session*
src_ip*
system*
timestamp*
username<\/td>\n<\/tr>\n
cowrie.session.connect<\/td>\ndst_ip
dst_port
message*
protocol
sensor*
session*
src_ip*
src_port
system*
timestamp*<\/td>\n<\/tr>\n
cowrie.session.closed<\/td>\nduplicate
duration>duration
message*
sensor*
session*
src_ip*
system*
timestamp*<\/td>\n<\/tr>\n
cowrie.session.file_download<\/td>\nmessage*
outfile
sensor*
session*
shasum
src_ip*
system*
timestamp*
url<\/td>\n<\/tr>\n
cowrie.session.file_download.failed<\/td>\nmessage*
sensor*
session*
src_ip*
system*
timestamp*
url<\/td>\n<\/tr>\n
cowrie.session.file_upload<\/td>\nfilename
message*
outfile
sensor*
session*
shasum
src_ip*
system*
timestamp*<\/td>\n<\/tr>\n
cowrie.session.params<\/td>\narch
message*
sensor*
session*
src_ip*
system*
timestamp*<\/td>\n<\/tr>\n
cowrie.virustotal.scanfile<\/td>\nis_new
message*
positives
scan_date
scans.vendor<\/code>.detected
scans.vendor<\/code>.result
sensor*
session*
sha256
src_ip*
system*
timestamp*
total<\/td>\n<\/tr>\n
cowrie.virustotal.scanurl<\/td>\nis_new
message*
positives
scan_date
scans.vendor<\/code>.detected
scans.vendor<\/code>.result
sensor*
session*
src_ip*
system*
timestamp*
total
url<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Appendix II: Field-to-Event Mapping<\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Field<\/th>\nPresent in Event(s)<\/th>\n<\/tr>\n<\/thead>\n
arch<\/td>\ncowrie.session.params<\/td>\n<\/tr>\n
compCS<\/td>\ncowrie.client.kex<\/td>\n<\/tr>\n
data<\/td>\ncowrie.direct-tcpip.data<\/td>\n<\/tr>\n
dst_ip<\/td>\ncowrie.session.connect
cowrie.direct-tcpip.request
cowrie.direct-tcpip.data<\/td>\n<\/tr>\n
dst_port<\/td>\ncowrie.session.connect
cowrie.direct-tcpip.request
cowrie.direct-tcpip.data<\/td>\n<\/tr>\n
duplicate<\/td>\ncowrie.session.closed
cowrie.log.closed<\/td>\n<\/tr>\n
duration<\/td>\ncowrie.session.closed
cowrie.log.closed<\/td>\n<\/tr>\n
encCS<\/td>\ncowrie.client.kex<\/td>\n<\/tr>\n
filename<\/td>\ncowrie.session.file_upload<\/td>\n<\/tr>\n
fingerprint<\/td>\ncowrie.client.fingerprint<\/td>\n<\/tr>\n
hassh<\/td>\ncowrie.client.kex<\/td>\n<\/tr>\n
hasshAlgorithms<\/td>\ncowrie.client.kex<\/td>\n<\/tr>\n
height<\/td>\ncowrie.client.size<\/td>\n<\/tr>\n
id<\/td>\ncowrie.direct-tcpip.data<\/td>\n<\/tr>\n
input<\/td>\ncowrie.command.input
cowrie.command.failed
cowrie.command.success<\/td>\n<\/tr>\n
is_new<\/td>\ncowrie.virustotal.scanfile
cowrie.virustotal.scanurl<\/td>\n<\/tr>\n
kexAlgs<\/td>\ncowrie.client.kex<\/td>\n<\/tr>\n
keyAlgs<\/td>\ncowrie.client.kex<\/td>\n<\/tr>\n
key<\/td>\ncowrie.client.fingerprint<\/td>\n<\/tr>\n
langCS<\/td>\ncowrie.client.kex<\/td>\n<\/tr>\n
macCS<\/td>\ncowrie.client.kex<\/td>\n<\/tr>\n
message*<\/td>\ncowrie.client.fingerprint
cowrie.client.kex
cowrie.client.size
cowrie.client.var
cowrie.client.version
cowrie.command.failed
cowrie.command.input
cowrie.command.success
cowrie.direct-tcpip.data
cowrie.direct-tcpip.request
cowrie.log.closed
cowrie.login.failed
cowrie.login.success
cowrie.session.closed
cowrie.session.connect
cowrie.session.file_download
cowrie.session.file_download.failed
cowrie.session.file_upload
cowrie.session.params
cowrie.virustotal.scanfile
cowrie.virustotal.scanurl<\/td>\n<\/tr>\n
name<\/td>\ncowrie.client.var<\/td>\n<\/tr>\n
outfile<\/td>\ncowrie.session.file_download
cowrie.session.file_upload<\/td>\n<\/tr>\n
password<\/td>\ncowrie.login.failed
cowrie.login.success<\/td>\n<\/tr>\n
positives<\/td>\ncowrie.virustotal.scanfile
cowrie.virustotal.scanurl<\/td>\n<\/tr>\n
protocol<\/td>\ncowrie.session.connect<\/td>\n<\/tr>\n
scan_date<\/td>\ncowrie.virustotal.scanfile
cowrie.virustotal.scanurl<\/td>\n<\/tr>\n
scans.vendor<\/code>.detected<\/td>\ncowrie.virustotal.scanfile
cowrie.virustotal.scanurl<\/td>\n<\/tr>\n
scans.vendor<\/code>.result<\/td>\ncowrie.virustotal.scanfile
cowrie.virustotal.scanurl<\/td>\n<\/tr>\n
sensor*<\/td>\ncowrie.client.fingerprint
cowrie.client.kex
cowrie.client.size
cowrie.client.var
cowrie.client.version
cowrie.command.failed
cowrie.command.input
cowrie.command.success
cowrie.direct-tcpip.data
cowrie.direct-tcpip.request
cowrie.log.closed
cowrie.login.failed
cowrie.login.success
cowrie.session.closed
cowrie.session.connect
cowrie.session.file_download
cowrie.session.file_download.failed
cowrie.session.file_upload
cowrie.session.params
cowrie.virustotal.scanfile
cowrie.virustotal.scanurl<\/td>\n<\/tr>\n
session*<\/td>\ncowrie.client.fingerprint
cowrie.client.kex
cowrie.client.size
cowrie.client.var
cowrie.client.version
cowrie.command.failed
cowrie.command.input
cowrie.command.success
cowrie.direct-tcpip.data
cowrie.direct-tcpip.request
cowrie.log.closed
cowrie.login.failed
cowrie.login.success
cowrie.session.closed
cowrie.session.connect
cowrie.session.file_download
cowrie.session.file_download.failed
cowrie.session.file_upload
cowrie.session.params
cowrie.virustotal.scanfile
cowrie.virustotal.scanurl<\/td>\n<\/tr>\n
sha256<\/td>\ncowrie.virustotal.scanfile<\/td>\n<\/tr>\n
shasum<\/td>\ncowrie.session.file_download
cowrie.session.file_upload
cowrie.log.closed<\/td>\n<\/tr>\n
size<\/td>\ncowrie.log.closed<\/td>\n<\/tr>\n
src_ip*<\/td>\ncowrie.client.fingerprint
cowrie.client.kex
cowrie.client.size
cowrie.client.var
cowrie.client.version
cowrie.command.failed
cowrie.command.input
cowrie.command.success
cowrie.direct-tcpip.data
cowrie.direct-tcpip.request
cowrie.log.closed
cowrie.login.failed
cowrie.login.success
cowrie.session.closed
cowrie.session.connect
cowrie.session.file_download
cowrie.session.file_download.failed
cowrie.session.file_upload
cowrie.session.params
cowrie.virustotal.scanfile
cowrie.virustotal.scanurl<\/td>\n<\/tr>\n
src_port<\/td>\ncowrie.session.connect
cowrie.direct-tcpip.request<\/td>\n<\/tr>\n
system*<\/td>\ncowrie.client.fingerprint
cowrie.client.kex
cowrie.client.size
cowrie.client.var
cowrie.client.version
cowrie.command.failed
cowrie.command.input
cowrie.command.success
cowrie.direct-tcpip.data
cowrie.direct-tcpip.request
cowrie.log.closed
cowrie.login.failed
cowrie.login.success
cowrie.session.closed
cowrie.session.connect
cowrie.session.file_download
cowrie.session.file_download.failed
cowrie.session.file_upload
cowrie.session.params
cowrie.virustotal.scanfile
cowrie.virustotal.scanurl<\/td>\n<\/tr>\n
timestamp*<\/td>\ncowrie.client.fingerprint
cowrie.client.kex
cowrie.client.size
cowrie.client.var
cowrie.client.version
cowrie.command.failed
cowrie.command.input
cowrie.command.success
cowrie.direct-tcpip.data
cowrie.direct-tcpip.request
cowrie.log.closed
cowrie.login.failed
cowrie.login.success
cowrie.session.closed
cowrie.session.connect
cowrie.session.file_download
cowrie.session.file_download.failed
cowrie.session.file_upload
cowrie.session.params
cowrie.virustotal.scanfile
cowrie.virustotal.scanurl<\/td>\n<\/tr>\n
total<\/td>\ncowrie.virustotal.scanfile
cowrie.virustotal.scanurl<\/td>\n<\/tr>\n
ttylog<\/td>\ncowrie.log.closed<\/td>\n<\/tr>\n
type<\/td>\ncowrie.client.fingerprint<\/td>\n<\/tr>\n
url<\/td>\ncowrie.virustotal.scanurl
cowrie.session.file_download
cowrie.session.file_download.failed<\/td>\n<\/tr>\n
username<\/td>\ncowrie.login.failed
cowrie.login.success
cowrie.client.fingerprint<\/td>\n<\/tr>\n
value<\/td>\ncowrie.client.var<\/td>\n<\/tr>\n
version<\/td>\ncowrie.client.version<\/td>\n<\/tr>\n
width<\/td>\ncowrie.client.size<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

As I mentioned in a previous blog, Cowrie is a fantastic, easy-to-use honeypot. It captures useful information on port scans and brute-force attempts over SSH and Telnet. This information is provided as an event-based feed. The entries –basically, sets of fields– in the feed are not normalized. This means that entries capture different information, based […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-227","post","type-post","status-publish","format-standard","hentry","category-cyber"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/posts\/227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=227"}],"version-history":[{"count":1,"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/posts\/227\/revisions"}],"predecessor-version":[{"id":228,"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/posts\/227\/revisions\/228"}],"wp:attachment":[{"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defrancisco.us\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}