Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.
Cowrie is developed by Michel Oosterhof.
Some interesting features:
catfiles such as
/etc/passwd. Only minimal file contents are included
Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection Additional functionality over standard kippo:
SFTP and SCP support for file upload
Files of interest:
cowrie.cfg- Cowrie's configuration file. Default values can be found in
data/fs.pickle- fake filesystem
data/userdb.txt- credentials allowed or disallowed to access the honeypot
dl/- files transferred from the attacker to the honeypot are stored here
honeyfs/- file contents for the fake filesystem - feel free to copy a real system here or use
log/cowrie.json- transaction output in JSON format
log/cowrie.log- log/debug output
log/tty/*.log- session logs
txtcmds/- file contents for the fake commands
bin/createfs- used to create the fake filesystem
bin/playlog- utility to replay session logs
Read more .