cowrie v2.2 releases: Cowrie SSH/Telnet Honeypot
What is Cowrie
Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.
Cowrie is developed by Michel Oosterhof.
Some interesting features:
- Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
- Possibility of adding fake file contents so the attacker can
catfiles such as
/etc/passwd. Only minimal file contents are included
- Session logs stored in an UML Compatible format for easy replay with original timings
- Cowrie saves files downloaded with wget/curl or uploaded with SFTP and SCP for later inspection
Additional functionality over standard kippo:
- SFTP and SCP support for file upload
- Support for SSH exec commands
- Logging of direct-tcp connection attempts (ssh proxying)
- Forward SMTP connections to SMTP Honeypot (e.g. mailoney)
- Logging in JSON format for easy processing in log management solutions
- Many, many additional commands
Files of interest:
cowrie.cfg– Cowrie’s configuration file. Default values can be found in
data/fs.pickle– fake filesystem
data/userdb.txt– credentials allowed or disallowed to access the honeypot
dl/– files transferred from the attacker to the honeypot are stored here
honeyfs/– file contents for the fake filesystem – feel free to copy a real system here or use
log/cowrie.json– transaction output in JSON format
log/cowrie.log– log/debug output
log/tty/*.log– session logs
txtcmds/– file contents for the fake commands
bin/createfs– used to create the fake filesystem
bin/playlog– utility to replay session logs
- Deprecate Python 2.7 and 3.5
- Command substitution with backticks (PeterSufliarsky)
chmodcommand-line parsing (PeterSufliarsky)
- Enhanced command substitution functionality.
- Fix nc hang
- Rename built-in user
phil, it’s used as a detection mechanism.
- Binary support for
grepand other commands
- Azure Sentinel output plugin
Docker versions are available.
- Get the Dockerfile directly at
- Run from the Docker registry with:
docker pull cowrie/cowrie
Copyright (c) 2009 UPI Tamminen All rights reserved.