Kippos Cousin Cowrie

Published: 2016-04-27
Last Updated: 2016-04-27 02:03:51 UTC
by Tom Webb (Version: 1)
0 comment(s)

We have mentioned Kippo a lot on the site, but a nice fork is a program called cowrie. (hxxps:// It has some nice new features including built-in support for Dshield! Since the install is the same as Kippo, I’ll skip that and point you to cowrie install guide for the basics (hxxps://


Dshield Setup

To setup Dshield logs on Ubuntu, you’ll need one additional python plugin installed.

>sudo apt-get install python-dateutil


Then we need to enable the Dshield portion. You need to remove ‘#’ from the part starting with the plugin name. You’ll also need your account info.  Once logged into ISC, go to My Accounts -> My reports.  Select Update info and you’ll see your  auth_key.


>vi /home/cowrie/cowrie.cfg



userid = 0123456789

auth_key = mysuperawesomekeycode

batch_size = 100


Once you have this setup, switch to the cowrie user and restart the service.To troubleshoot setup issues, look in /home/cowrie/log/cowrie.log


>fgrep dshield /home/cowrie/cowrie.log


2016-04-27 00:46:26+0000 [-] Loaded output engine: dshield


AppArmor Setup


To protect the OS, it's good to put some additional security controls around it.  My honeypot is running on Ubuntu, so I chose apparmor. You can access my cowrie profile on my github at hxxps://  While I could lock it down a bit more, it seems to work well.


Once you downloaded the file, you need to copy it to the AppArmor folder.  (NOTE: If you did not install cowrie in the /home/cowrie folder you must rename the profile to the appropriate folder.)

>sudo cp /home/user/download/ /etc/apparmor.d/


Now place the service into enforcement mode.

>sudo aa-enforce /etc/apparmor.d/


Now restart the cowrie service. Then check to see if it's being protected.



apparmor module is loaded.

5 profiles are loaded.

5 profiles are in enforce mode.






0 profiles are in complain mode.

2 processes have profiles defined.

2 processes are in enforce mode.

  /home/cowrie/ (25592)

  /sbin/dhclient (658)

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.


To get a better understanding of what the actual profile is allowing check out hxxp://


Sqlite3 Setup

I run my honeypots on very lean VMs (512mb RAM), so they will not run with MYSQL on them, but to get similar power cowrie has support for sqlite3!


Create database

>cd /home/cowrie

>sqlite3 cowrie.db

sqlite>.read /home/cowrie/doc/sql/sqlite3.sql


In cowrie.cfg

>vi /home/cowrie/cowrie.cfg



db_file = /home/cowrie/cowrie.db


Once you have restarted the service, everything should be ready to go. If you are new to SQLite a few useful commands to get you started are below.


>sqlite3 .schema

>sqlite3 .tables

>sqlite3 .quit


To access the database and get querying.


>sqlite3 /home/cowrie/cowrie.db


Query to see all connected sessions.

sqlite>select * from sessions;




To see what user/password combinations were used.

sqlite> select * from auth;




To see what commands the attacker ran at the command prompt.

sqlite> select * from input;


1|80ec8485|2016-04-21T19:50:10.746605Z||1|ps -ef


3|80ec8485|2016-04-21T19:50:13.832965Z||1|cat /tmp




I’ve enjoyed using cowrie on my latest setup with sqlite3.  Its been solid over the last week and have not ran into any issues.  



Tom Webb


0 comment(s)


Diary Archives