- This is a fork of the offical Cowrie GitHub repository, used for a university project.
- The main purpose of this fork is to examine the potential of log anonymization.
Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.
Cowrie is maintained by Michel Oosterhof.
The official Documentation can be found here.
This fork is intended to be used with Docker, so let's start:
Build the docker image:
$ git clone https://github.com/Stinktopf/cowrie.git $ cd cowrie $ make all docker-build
Start the container:
$ sudo docker run -d -p 2222:2222 cowrie/cowrie:<VERSION-RETURNED-BY-MAKE>
Access the honeypot:
$ ssh root@<IP-ADDRESS> -p 2222
Access the honeypot logs and files by copying the contents of the container to the host-machine:
$ sudo docker ps $ docker cp <CONTAINER-ID>:cowrie/cowrie-git/var/ ${PWD}/logs $ cd logs/var $ lsStop the container:
$ sudo docker ps $ docker stop <CONTAINER-NAME>
Configuring Cowrie in Docker
Cowrie in Docker can be configured using environment variables. The variables start with COWRIE then have the section name in capitals, followed by the stanza in capitals. An example is below to enable telnet support:
COWRIE_TELNET_ENABLED=yes
Alternatively, Cowrie in Docker can use an etc volume to store configuration data. Create cowrie.cfg inside the etc volume with the following contents to enable telnet in your Cowrie Honeypot in Docker:
[telnet] enabled = yes
Software required to run locally:
- Docker
- Make
- etc/cowrie.cfg - Cowrie's configuration file. Default values can be found in etc/cowrie.cfg.dist.
- share/cowrie/fs.pickle - fake filesystem
- etc/userdb.txt - credentials to access the honeypot
- honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here or use bin/fsctl
- honeyfs/etc/issue.net - pre-login banner
- honeyfs/etc/motd - post-login banner
- var/log/cowrie/cowrie.json - transaction output in JSON format
- var/log/cowrie/cowrie.log - log/debug output
- var/lib/cowrie/tty/ - session logs, replayable with the bin/playlog utility.
- var/lib/cowrie/downloads/ - files transferred from the attacker to the honeypot are stored here
- share/cowrie/txtcmds/ - file contents for simple fake commands
- bin/createfs - used to create the fake filesystem
- bin/playlog - utility to replay session logs