cowrie v2.2 releases: Cowrie SSH/Telnet Honeypot

by do son · Published April 4, 2019 · Updated November 11, 2020

What is Cowrie

Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.

Cowrie is developed by Michel Oosterhof.

Some interesting features:

Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
Possibility of adding fake file contents so the attacker can cat files such as /etc/passwd. Only minimal file contents are included
Session logs stored in an UML Compatible format for easy replay with original timings
Cowrie saves files downloaded with wget/curl or uploaded with SFTP and SCP for later inspection

Additional functionality over standard kippo:

cowrie.cfg – Cowrie’s configuration file. Default values can be found in cowrie.cfg.dist
data/fs.pickle – fake filesystem
data/userdb.txt – credentials allowed or disallowed to access the honeypot
dl/ – files transferred from the attacker to the honeypot are stored here
honeyfs/ – file contents for the fake filesystem – feel free to copy a real system here or use bin/fsctl
log/cowrie.json – transaction output in JSON format
log/cowrie.log – log/debug output
log/tty/*.log – session logs
txtcmds/ – file contents for the fake commands
bin/createfs – used to create the fake filesystem
bin/playlog – utility to replay session logs