Kippos Cousin Cowrie
We have mentioned Kippo a lot on the site, but a nice fork is a program called cowrie. (hxxps://github.com/micheloosterhof/cowrie). It has some nice new features including built-in support for Dshield! Since the install is the same as Kippo, I’ll skip that and point you to cowrie install guide for the basics (hxxps://github.com/micheloosterhof/cowrie/blob/master/INSTALL.md).
Dshield Setup
To setup Dshield logs on Ubuntu, you’ll need one additional python plugin installed.
>sudo apt-get install python-dateutil
Then we need to enable the Dshield portion. You need to remove ‘#’ from the part starting with the plugin name. You’ll also need your account info. Once logged into ISC, go to My Accounts -> My reports. Select Update info and you’ll see your auth_key.
>vi /home/cowrie/cowrie.cfg
[output_dshield]
userid = 0123456789
auth_key = mysuperawesomekeycode
batch_size = 100
Once you have this setup, switch to the cowrie user and restart the service.To troubleshoot setup issues, look in /home/cowrie/log/cowrie.log
>fgrep dshield /home/cowrie/cowrie.log
2016-04-27 00:46:26+0000 [-] Loaded output engine: dshield
AppArmor Setup
To protect the OS, it's good to put some additional security controls around it. My honeypot is running on Ubuntu, so I chose apparmor. You can access my cowrie profile on my github at hxxps://goo.gl/6F5FdG. While I could lock it down a bit more, it seems to work well.
Once you downloaded the file, you need to copy it to the AppArmor folder. (NOTE: If you did not install cowrie in the /home/cowrie folder you must rename the profile to the appropriate folder.)
>sudo cp /home/user/download/home.cowrie.start.sh /etc/apparmor.d/
Now place the service into enforcement mode.
>sudo aa-enforce /etc/apparmor.d/home.cowrie.start.sh
Now restart the cowrie service. Then check to see if it's being protected.
>aa-status
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
/home/cowrie/start.sh
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/home/cowrie/start.sh (25592)
/sbin/dhclient (658)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
To get a better understanding of what the actual profile is allowing check out hxxp://wiki.apparmor.net/index.php/QuickProfileLanguage.
Sqlite3 Setup
I run my honeypots on very lean VMs (512mb RAM), so they will not run with MYSQL on them, but to get similar power cowrie has support for sqlite3!
Create database
>cd /home/cowrie
>sqlite3 cowrie.db
sqlite>.read /home/cowrie/doc/sql/sqlite3.sql
In cowrie.cfg
>vi /home/cowrie/cowrie.cfg
[output_sqlite]
db_file = /home/cowrie/cowrie.db
Once you have restarted the service, everything should be ready to go. If you are new to SQLite a few useful commands to get you started are below.
>sqlite3 .schema
>sqlite3 .tables
>sqlite3 .quit
To access the database and get querying.
>sqlite3 /home/cowrie/cowrie.db
Query to see all connected sessions.
sqlite>select * from sessions;
80ec8485|2016-04-21T19:50:00.662184Z|2016-04-21T19:50:52.884641Z|0|1.1.1.1|59x231|1
To see what user/password combinations were used.
sqlite> select * from auth;
1|80ec8485|1|root|toor|2016-04-21T19:50:05.887822Z
To see what commands the attacker ran at the command prompt.
sqlite> select * from input;
1|80ec8485|2016-04-21T19:50:10.746605Z||1|ps -ef
2|80ec8485|2016-04-21T19:50:11.807890Z||1|ls
3|80ec8485|2016-04-21T19:50:13.832965Z||1|cat /tmp
4|80ec8485|2016-04-21T19:50:45.056651Z||1|wget https://github.com/micheloosterhof/cowrie/archive/master.zip
5|80ec8485|2016-04-21T19:50:52.558221Z||1|exit
I’ve enjoyed using cowrie on my latest setup with sqlite3. Its been solid over the last week and have not ran into any issues.
--
Tom Webb
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago