Hello folks,

I'd like to use Kibana to visualize the events in the Cowrie log and have been failing so far. Yes, I have read this article and also issue #402, as well as the documentation.

To begin with, my setup is fairly simple - just one Cowrie honeypot and ELK installed on the same machine (and supposed to be used on the same machine). So, I don't need Filebeat to ship logs to another machine, correct? Also, I gather from issue #402 that I no longer need an nginx server like the first article mentioned above says, yes?

So far I've done the following:

1. Installed elasticsearch, logstash and kibana on the same virtual machine where Cowrie is.
2. Created /var/log/kibana and modified /etc/kibana/kibana.yml according to the documentation.
3. Downloaded the GeoIP data and put it in /var/opt/logstash/vendor/geoip/.
4. Copied cowrie/doc/elk/logstash-cowrie.conf to /etc/logstash/conf.d/ after modifying some paths to make sure they reflect my environment.
5. Started the service logstash.

However, the file /tmp/cowrie-logstash.log is not created. What am I missing? Do I need to change some ownerships - e.g., stuff in /etc/logstash/ is currently owned by root.

Also, does this mean that with this setup Kibana can visualize only one day's worth of data? The file cowrie.json gets renamed after midnight and a new one is created.

I ran a pretty much out-of-the-box Cowrie installation on a virtual machine for a couple of hours. Although the logs show that various Mirai variants have hit 127 times, to my amazement not even a single sample was captured. Going through the logs, I can identify the following cases:

1. In the vast majority of cases the capturing has failed because of this issue. The discussion of the issue suggests that a hotfix for the problem is available - could we get it merged to master, please?

2. The second case looks like pretty much a standard Mirai; I do not understand what exactly is failing. It seems to me that the honeypot is providing the right answers. Here is a sample session from the logs:

2017-01-16T18:32:58+0200 [cowrie.telnet.transport.HoneyPotTelnetFactory] New connection: 109.236.92.144:55305 (192.168.0.104:23) [session: TT10]
2017-01-16T18:33:01+0200 [CowrieTelnetTransport,10,109.236.92.144] login attempt [root/anko] succeeded
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Opening TTY Log: log/tty/20170116-183302-None-10i.log
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: enable
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: enable 
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Reading txtcmd from "txtcmds/bin/enable"
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: shell
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command not found: shell
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: sh
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: sh 
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox ECCHI
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox ps; /bin/busybox ECCHI
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ps
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: ps
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox cat /proc/mounts; /bin/busybox ECCHI
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox cat /proc/mounts
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cat /proc/mounts
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox echo -e '\x6b\x61\x6d\x69/dev' > /dev/.nippon; /bin/busybox cat /dev/.nippon; /bin/busybox rm /dev/.nippon
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox echo -e '\x6b\x61\x6d\x69/dev' > /dev/.nippon
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: echo -e '\x6b\x61\x6d\x69/dev'
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox cat /dev/.nippon
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cat /dev/.nippon
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox rm /dev/.nippon
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: rm /dev/.nippon
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox ECCHI
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: cd /
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cd /
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox cp /bin/echo dvrHelper; >dvrHelper; /bin/busybox chmod 777 dvrHelper; /bin/busybox ECCHI
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox cp /bin/echo dvrHelper
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cp /bin/echo dvrHelper
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: > dvrHelper
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox chmod 777 /dvrHelper
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: chmod 777 /dvrHelper
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox cat /bin/echo
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox cat /bin/echo
2017-01-16T18:33:02+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: cat /bin/echo
2017-01-16T18:33:03+0200 [CowrieTelnetTransport,10,109.236.92.144] CMD: /bin/busybox ECCHI
2017-01-16T18:33:03+0200 [CowrieTelnetTransport,10,109.236.92.144] Command found: /bin/busybox ECCHI
2017-01-16T18:35:04+0200 [CowrieTelnetTransport,10,109.236.92.144] Closing TTY Log: log/tty/20170116-183302-None-10i.log after 121 seconds
2017-01-16T18:35:04+0200 [CowrieTelnetTransport,10,109.236.92.144] honeypot terminal protocol connection lost [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ConnectionDone'>: Connection was closed cleanly.
2017-01-16T18:35:04+0200 [CowrieTelnetTransport,10,109.236.92.144] Connection lost after 126 seconds

3. The third case is completely weird, it seems that the bot is sending commands containing '0x00' characters? Here is a sample session log:

2017-01-16T18:32:34+0200 [cowrie.telnet.transport.HoneyPotTelnetFactory] New connection: 122.224.33.171:31513 (192.168.0.104:23) [session: TT8]
2017-01-16T18:32:36+0200 [CowrieTelnetTransport,8,122.224.33.171] login attempt [root/888888] succeeded
2017-01-16T18:32:36+0200 [CowrieTelnetTransport,8,122.224.33.171] Opening TTY Log: log/tty/20170116-183236-None-8i.log
2017-01-16T18:32:36+0200 [CowrieTelnetTransport,8,122.224.33.171] Warning: state changed and new state returned
2017-01-16T18:32:36+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: enable
2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Command found: enable 
2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Reading txtcmd from "txtcmds/bin/enable"
2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: system
2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Command not found: system
2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: shell
2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Command not found: shell
2017-01-16T18:32:37+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: sh
2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] Command found: sh 
2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] Received unhandled keyID: '\x00'
2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] CMD: /bin/busybox MIRAI
2017-01-16T18:32:38+0200 [CowrieTelnetTransport,8,122.224.33.171] Command found: /bin/busybox MIRAI
2017-01-16T18:32:39+0200 [CowrieTelnetTransport,8,122.224.33.171] Closing TTY Log: log/tty/20170116-183236-None-8i.log after 2 seconds
2017-01-16T18:32:39+0200 [CowrieTelnetTransport,8,122.224.33.171] honeypot terminal protocol connection lost [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ConnectionDone'>: Connection was closed cleanly.
2017-01-16T18:32:39+0200 [CowrieTelnetTransport,8,122.224.33.171] Connection lost after 4 seconds

Hello folks,

Elasticsearch crapped very badly on me and I had to rebuild the whole database from scratch, so I don't trust it any more. Unfortunately, Kibana depends on it, which means that if I scrap it, I won't be able to use Kibana for visualizations. However, a colleague told me that he could very easily make the visualizations I currently use if the data is in a MySQL database. So, I am not trying to make Cowrie save its data in such a database. Unfortunately, I am also failing miserably, so I could use your help.

To begin with, I followed this guide. It's from a couple of years ago, but it seems mostly actual, because everything worked - the database was created with the corresponding tables and structure. I have modified the [output_mysql] section in cowrie.cfg accordingly, to specify the host containing the database, user name, password, etc. I used a stand-alone Python script to check that I can indeed connect to the database from the machine on which Cowrie is running and do some trivial stuff, like getting the MySQL version.

Unfortunately, when I start Cowrie, I get the error message

'Failed to load output engine: mysql due to ImportError: No module named MySQLdb'

Now, the module mysql-python is installed - I installed it while following the guide mentioned above. But it wasn't installed (yet) when I installed Cowrie, months ago. I guess that means it isn't installed in the virtual environment cowrie-env? How do I install it there? (I was hoping that the virtual environment would see modules that are globally installed on the system, but I guess it doesn't.) I hope I don't need to scrap the whole Cowrie installation and re-install it from scratch?

this errors displayed Starting cowrie with extra arguments [] ... Unhandled Error Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 579, in parseOptions usage.Options.parseOptions(self, options) File "/usr/lib/python2.7/dist-packages/twisted/python/usage.py", line 262, in parseOptions for (cmd, short, parser, doc) in self.subCommands: File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 596, in subCommands for plug in sorted(plugins, key=attrgetter('tapname')): File "/usr/lib/python2.7/dist-packages/twisted/plugin.py", line 213, in getPlugins allDropins = getCache(package) --- --- File "/usr/lib/python2.7/dist-packages/twisted/plugin.py", line 171, in getCache provider = pluginModule.load() File "/usr/lib/python2.7/dist-packages/twisted/python/modules.py", line 389, in load return self.pathEntry.pythonPath.moduleLoader(self.name) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 303, in namedAny topLevelPackage = _importAndCheckStack(trialname) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 250, in _importAndCheckStack reraise(excValue, excTraceback) File "/home/cowrie/cowrie/twisted/plugins/cowrie_plugin.py", line 46, in from cowrie.core.config import readConfigFile File "/home/cowrie/cowrie/cowrie/core/config.py", line 8, in import configparser exceptions.ImportError: No module named configparser

Unhandled Error Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/twisted/python/usage.py", line 447, in str return self.getSynopsis() + '\n' + self.getUsage(width=None) File "/usr/lib/python2.7/dist-packages/twisted/python/usage.py", line 483, in getUsage for (cmd, short, parser, desc) in self.subCommands: File "/usr/lib/python2.7/dist-packages/twisted/application/app.py", line 596, in subCommands for plug in sorted(plugins, key=attrgetter('tapname')): File "/usr/lib/python2.7/dist-packages/twisted/plugin.py", line 213, in getPlugins allDropins = getCache(package) --- --- File "/usr/lib/python2.7/dist-packages/twisted/plugin.py", line 171, in getCache provider = pluginModule.load() File "/usr/lib/python2.7/dist-packages/twisted/python/modules.py", line 389, in load return self.pathEntry.pythonPath.moduleLoader(self.name) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 303, in namedAny topLevelPackage = _importAndCheckStack(trialname) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 250, in _importAndCheckStack reraise(excValue, excTraceback) File "/home/cowrie/cowrie/twisted/plugins/cowrie_plugin.py", line 46, in from cowrie.core.config import readConfigFile File "/home/cowrie/cowrie/cowrie/core/config.py", line 8, in import configparser exceptions.ImportError: No module named configparser

Usage: twistd [options] Options: --savestats save the Stats object rather than the text output of the profiler. -o, --no_save do not save state on shutdown -e, --encrypted The specified tap/aos file is encrypted. -n, --nodaemon don't daemonize, don't use default umask of 0077 --originalname Don't try to change the process name --syslog Log to syslog, not to file --euid Set only effective user-id rather than real user-id. (This option has no effect unless the server is running as root, in which case it means not to shed all privileges after binding ports, retaining the option to regain privileges in cases such as spawning processes. Use with caution.) -l, --logfile= log to a specified file, - for stdout --logger= A fully-qualified name to a log observer factory to use for the initial log observer. Takes precedence over --logfile and --syslog (when available). -p, --profile= Run in profile mode, dumping results to specified file. --profiler= Name of the profiler to use (profile, cprofile). [default: cprofile] -f, --file= read the given .tap file [default: twistd.tap] -y, --python= read an application from within a Python file (implies -o) -s, --source= Read an application from a .tas file (AOT format). -d, --rundir= Change to a supplied directory before running [default: .] --prefix= use the given prefix when syslogging [default: twisted] --pidfile= Name of the pidfile [default: twistd.pid] --chroot= Chroot to a supplied directory before running -u, --uid= The uid to run as. -g, --gid= The gid to run as. --umask= The (octal) file creation mask to apply. --help-reactors Display a list of possibly available reactor names. --version Print version information and exit. --spew Print an insanely verbose log of everything that happens. Useful when debugging freezes or locks in complex code. -b, --debug Run the application in the Python Debugger (implies nodaemon), sending SIGUSR2 will drop into debugger -r, --reactor= Which reactor to use (see --help-reactors for a list of possibilities) --help Display this help and exit.

twistd reads a twisted.application.service.Application out of a file and runs it. Commands: conch A Conch SSH service. dns A domain name server. ftp An FTP server. inetd An inetd(8) replacement. mail An email service manhole An interactive remote debugger service accessible via telnet and ssh and providing syntax coloring and basic line editing functionality. manhole-old An interactive remote debugger service. news A news server. portforward A simple port-forwarder. procmon A process watchdog / supervisor socks A SOCKSv4 proxy service. telnet A simple, telnet-based remote debugging service. web A general-purpose web server which can serve from a filesystem or application resource. words A modern words server xmpp-router An XMPP Router server

In the database, only table sessions' has many data, the other tables such asauth,clients,input,ttyloghave no data. Andlog/cowrie.logandlog/cowrie.jsonhave become binary files... What's the matter?... Here are the screenshots: ![zj1 qzbl r0g 4lj a qb](https://cloud.githubusercontent.com/assets/17915615/19677173/9e3e8ea6-9aca-11e6-9c18-53d88e7605e2.png) ![ut1 5_7k 7qrggv4b7pdith](https://cloud.githubusercontent.com/assets/17915615/19677209/c6d128e2-9aca-11e6-9e2e-e5f2b20fadf8.png) ![9tl8 i r pn80bh 1j olr](https://cloud.githubusercontent.com/assets/17915615/19677228/dbc4b962-9aca-11e6-8fec-573ca4a6df38.png) ![ceppb dwca w r4 if 4 d](https://cloud.githubusercontent.com/assets/17915615/19677240/eec24a34-9aca-11e6-9c1f-5eba6fedd259.png) ![cllo45bi hr n14ysdsw_vi](https://cloud.githubusercontent.com/assets/17915615/19677266/0d140bda-9acb-11e6-8503-ebc1fc94d3a2.png) ![gsz g 6 04mj5vp0u n](https://cloud.githubusercontent.com/assets/17915615/19677314/4be3439e-9acb-11e6-8c03-d4bd6132f799.png) In tablesensors`, the ip is my server ip...

I know that when Cowrie produces a JSON log, the timestamps there are in UTC. But how are they stored in a MySQL database?

I'm asking because I hit some rather bizarre problem. I'm trying to make a simple graph of the number of login attempts for every hour using Grafana as the visualizer. The graph looks fine but the time (the X-axis) is shifted by 3 hours.

My local time zone is UTC+3 right now (GMT+2 geographically, plus 1 hour daylight savings). Grafana is configured to display times in the local time zone of the viewer. One explanation for the mismatch could be that the data itself is wrong - i.e., is stored in local time in the database, instead of in UTC.

The problem is, I can't figure out exactly what is happening. Cowrie writes the data to the database using the STR_TO_DATE() MySQL function, which takes two arguments - the date itself (presumably in UTC, because it's the same thing that's written to the JSON log?) and a format string, which is set to '%Y-%m-%dT%H:%i:%s.%fZ'. Doesn't this mean that the timestamp ought to go as an UTC timestamp in the database? Besides, I've read somewhere that timestamp data is stored always as UTC timestamps by MySQL. Assuming that the time zone of my MySQL server is set to UTC+3, wouldn't that mean that an unnecessary conversion is made and 3 hours are subtracted from the timestamp?

Maybe Cowrie should set the time zone of its MySQL connection to UTC+0? Like

SET time_zone='+00:00';

I have an error in start.sh (I'm on Ubuntu 14.04) :

(envirt)michel@yotra:~/kippo/kippo-master$ ./start.sh twistd (the Twisted daemon) 16.0.0 Copyright (c) 2001-2016 Twisted Matrix Laboratories. See LICENSE for details. Starting kippo in the background... Unhandled Error Traceback (most recent call last): File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/app.py", line 617, in run runApp(config) File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/scripts/twistd.py", line 25, in runApp _SomeApplicationRunner(config).run() File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/app.py", line 348, in run self.application = self.createOrGetApplication() File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/app.py", line 413, in createOrGetApplication application = getApplication(self.config, passphrase) --- --- File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/app.py", line 424, in getApplication application = service.loadApplication(filename, style, passphrase) File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/application/service.py", line 411, in loadApplication passphrase) File "/home/michel/envirt/local/lib/python2.7/site-packages/Twisted-16.0.0-py2.7-linux-i686.egg/twisted/persisted/sob.py", line 224, in loadValueFromFile eval(codeObj, d, d) File "kippo.tac", line 26, in import kippo.core.auth File "/home/michel/kippo/kippo-master/kippo/core/auth.py", line 102, in class HoneypotPasswordChecker: File "/home/michel/kippo/kippo-master/kippo/core/auth.py", line 105, in HoneypotPasswordChecker credentialInterfaces = (credentials.IUsernamePassword, credentials.IPluggableAuthenticationModules) exceptions.AttributeError: 'module' object has no attribute 'IPluggableAuthenticationModules'

Failed to load application: 'module' object has no attribute 'IPluggableAuthenticationModules'

Please help me. Thanks

I have copied the userdb.example to userdb.txt in the etc folder, by running this command: cowrie@xxxx cp userdb.example eserdb.txt. I then stopped cowrie and started it again.

However, I still can access the honeypot with username root, and password root, even though in the userdb, it says root:x:!root

From the documentation, it seems that all I'd need to do to replace Cowrie's default filesystem is to do:

• Copy a new file system to honeyfs
• Run ./bin/createfs -l honeyfs -o data/fs.pickle

When I tried to do this from a OpenWRT filesystem, the commands executed successfully but commands in the honeypot (e.g. ls, cp, rm don't work). /bin/busybox works, but running /bin/busybox ls errors out with applet not found.

I'm using Python 3.5 on Ubuntu 16.04.

Been playing around with Cowrie and am loving it. But it won't stop for me unless I kill the process. I'm starting it by ~/cowrie/bin/./cowrie start. Doing a ~/cowrie/bin/./cowrie stop doesn't stop it though. There is no error message at console from the stop command and it just returns me to a prompt after I push enter.

I have to lookup the process with "ps aux" and kill it by the PID. Is this normal? Running Ubuntu Server 16.

Hi Michel,

I can't explain why but my Cowrie doesn't accept the usual commands like "ls", "cat", "ping" bash: cat: command not found bash: ls: command not found

wget, curl, help, the (customized) txtcmds works fine.

I'm running Centos 7, I have customized the honeyfs files, txtcmds and generated a filesystem with createfs.py (cleaned with fsctl.py)

Any hints ?

Regards.

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • requirements-output.txt

slackclient 2.9.4 requires aiohttp, which is not installed.
service-identity 21.1.0 requires cryptography, which is not installed.
pyOpenSSL 22.1.0 requires cryptography, which is not installed.
geoip2 4.6.0 requires aiohttp, which is not installed.

Vulnerabilities that will be fixed

By pinning:

Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:------------------------- | 551/1000
Why? Recently disclosed, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
SNYK-PYTHON-SETUPTOOLS-3180412 | setuptools:
39.0.1 -> 65.5.1
| No | No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • requirements.txt

service-identity 21.1.0 requires cryptography, which is not installed.
pyOpenSSL 22.1.0 requires cryptography, which is not installed.

Vulnerabilities that will be fixed

By pinning:

Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:------------------------- | 551/1000
Why? Recently disclosed, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
SNYK-PYTHON-SETUPTOOLS-3180412 | setuptools:
39.0.1 -> 65.5.1
| No | No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

Hello,

i have new cowrie installation under python 3.9.13 virtualenv List of packages:

Package            Version
------------------ ---------
appdirs            1.4.4
attrs              22.1.0
Automat            22.10.0
bcrypt             4.0.1
certifi            2022.9.24
cffi               1.15.1
charset-normalizer 2.1.1
configparser       5.2.0
constantly         15.1.0
cryptography       38.0.4
hyperlink          21.0.0
idna               3.4
incremental        22.10.0
mysql-connector    2.2.9
packaging          21.3
pip                22.3.1
pyasn1             0.4.8
pyasn1-modules     0.2.8
pycparser          2.21
pyOpenSSL          22.1.0
pyparsing          3.0.9
python-dateutil    2.8.2
requests           2.28.1
service-identity   21.1.0
setuptools         65.6.3
six                1.16.0
tftpy              0.8.2
treq               22.2.0
Twisted            22.4.0
typing_extensions  4.4.0
urllib3            1.26.13
wheel              0.38.4
zope.interface     5.5.2

i am getting below error in cowrie.log

2022-12-06T07:29:34.709158Z [HoneyPotSSHTransport,3,xx.xx.xx.xx] Rollback failed
        Traceback (most recent call last):
          File "/home/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/python/threadpool.py", line 260, in <lambda>
            inContext.theWork = lambda: context.call(  # type: ignore[attr-defined]
          File "/home/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/python/context.py", line 117, in callWithContext
            return self.currentContext().callWithContext(ctx, func, *args, **kw)
          File "/home/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/python/context.py", line 82, in callWithContext
            return func(*args, **kw)
          File "/home/cowrie/COWRIE/src/cowrie/output/mysql.py", line 38, in _runInteraction
            return adbapi.ConnectionPool._runInteraction(self, interaction, *args, **kw)
        --- <exception caught here> ---
          File "/home/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/enterprise/adbapi.py", line 449, in _runInteraction
            conn.rollback()
          File "/home/cowrie/cowrie-env/lib/python3.9/site-packages/twisted/enterprise/adbapi.py", line 66, in rollback
            raise ConnectionLost()
        twisted.enterprise.adbapi.ConnectionLost: 

2022-12-06T07:29:34.709757Z [-] output_mysql: MySQL Error: (-1, 'No result set to fetch from.', None)

Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • requirements-output.txt

slackclient 2.9.4 requires aiohttp, which is not installed.
service-identity 21.1.0 requires cryptography, which is not installed.
pyOpenSSL 22.1.0 requires cryptography, which is not installed.
mysql-connector-python 8.0.31 has requirement protobuf<=3.20.1,>=3.11.0, but you have protobuf 4.21.10.
geoip2 4.6.0 requires aiohttp, which is not installed.

Vulnerabilities that will be fixed

By pinning:

Severity | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|:-------------------------|:-------------------------|:-------------------------|:------------------------- | Denial of Service (DoS)
SNYK-PYTHON-PROTOBUF-3031740 | protobuf:
3.20.1 -> 3.20.2
| No | No Known Exploit

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

Hello,

I am trying to deploy cowrie in proxy mode with the following settings:

backend = proxy

# Guest details (for a generic x86-64 guest, like Ubuntu)
guest_hypervisor = qemu

backend = pool
backend_ssh_host = localhost
backend_ssh_port = 2022

pool_max_vms = 4
pool = local

# Endpoint to listen on for incoming SSH connections.
listen_endpoints = tcp:9090:interface=0.0.0.0

Everything excluded is set to default value, except for the real backend credentials. Iptables are configured to redirect port 22 to port 9090.

Successfully logging to the honeypot through Putty does not redirect me to VM, instead it shows the following error message:

This is how it looks in logs:

2022-11-15T14:40:02.714110Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: x.x.x.x:x (10.0.0.4:9090) [session: 11699cf73924]
2022-11-15T14:40:02.724076Z [FrontendSSHTransport,520,x.x.x.x] Remote SSH version: SSH-2.0-PuTTY_Release_0.76
2022-11-15T14:40:02.733713Z [backend_pool.pool_server.PoolServerFactory] Received connection from 127.0.0.1:41042
2022-11-15T14:40:02.734290Z [Uninitialized] Connected to backend pool
2022-11-15T14:40:02.734577Z [PoolServer,521,127.0.0.1] Requesting a VM for attacker @ x.x.x.x
2022-11-15T14:40:02.734771Z [PoolServer,521,127.0.0.1] Providing VM id 0
2022-11-15T14:40:02.735102Z [PoolClient,client] Got backend data from pool: 192.168.150.217:22
2022-11-15T14:40:02.735196Z [PoolClient,client] Snapshot file: /home/cowrie/cowrie/var/lib/cowrie/snapshots/snapshot-ubuntu18.04-75999260d50340aa9098062da1650500.qcow2
2022-11-15T14:40:02.735334Z [cowrie.ssh_proxy.client_transport.BackendSSHFactory#info] Starting factory <cowrie.ssh_proxy.client_transport.BackendSSHFactory object at 0x7f8a9c87f370>
2022-11-15T14:40:02.782461Z [FrontendSSHTransport,520,x.x.x.x] SSH client hassh fingerprint: 5b7713a9ef2d162b16ea018fa8d40f02
2022-11-15T14:40:02.783927Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ssh-ed25519'
2022-11-15T14:40:02.784027Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] outgoing: b'aes256-ctr' b'hmac-sha1' b'none'
2022-11-15T14:40:02.784101Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] incoming: b'aes256-ctr' b'hmac-sha1' b'none'
2022-11-15T14:40:02.850464Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] NEW KEYS
2022-11-15T14:40:02.850962Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#debug] starting service b'ssh-userauth'
2022-11-15T14:40:04.530477Z [Uninitialized] Connected to SSH backend at b'192.168.150.217'
2022-11-15T14:40:04.530869Z [Uninitialized] Connected to honeypot backend
2022-11-15T14:40:05.694227Z [cowrie.ssh_proxy.userauth.ProxySSHAuthServer#debug] b'student' trying auth b'none'
2022-11-15T14:40:10.343627Z [FrontendSSHTransport,520,x.x.x.x] Connection to backend not ready, buffering packet from frontend
2022-11-15T14:40:10.344638Z [cowrie.ssh_proxy.userauth.ProxySSHAuthServer#debug] b'student' trying auth b'password'
2022-11-15T14:40:10.345534Z [FrontendSSHTransport,520,x.x.x.x] login attempt [b'student'/b'student'] succeeded
2022-11-15T14:40:10.362593Z [FrontendSSHTransport,520,x.x.x.x] Initialized emulated server as architecture: linux-x64-lsb
2022-11-15T14:40:10.419995Z [FrontendSSHTransport,520,x.x.x.x] Connection to backend not ready, buffering packet from frontend
# this might be the point, where the error shows up
2022-11-15T14:40:33.175725Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ecdsa-sha2-nistp256'
2022-11-15T14:40:33.176223Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] outgoing: b'aes256-ctr' b'hmac-sha2-512' b'none'
2022-11-15T14:40:33.176309Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] incoming: b'aes256-ctr' b'hmac-sha2-512' b'none'
2022-11-15T14:40:41.233811Z [cowrie.ssh_proxy.client_transport.BackendSSHTransport#debug] NEW KEYS
2022-11-15T14:40:41.234285Z [BackendSSHTransport,client] Backend Connection Secured
2022-11-15T14:40:41.251355Z [BackendSSHTransport,client] Will auth with backend: x/x
2022-11-15T14:40:41.251870Z [BackendSSHTransport,client] got channel b'session' request
2022-11-15T14:40:54.764575Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost
2022-11-15T14:40:54.765091Z [FrontendSSHTransport,520,x.x.x.x] Connection lost after 50 seconds
2022-11-15T14:40:54.774787Z [BackendSSHTransport,client] Lost connection with the pool backend: id 0
2022-11-15T14:40:54.775126Z [cowrie.ssh_proxy.client_transport.BackendSSHFactory#info] Stopping factory <cowrie.ssh_proxy.client_transport.BackendSSHFactory object at 0x7f8a9c87f370>
2022-11-15T14:40:54.775420Z [PoolServer,521,127.0.0.1] Freeing VM 0

Sometimes there's different logged events after successful login attempt:

2022-11-15T01:00:45.902697Z [BackendSSHTransport,client] [SSH] Detected Public Key Auth - Disabling!
2022-11-15T01:00:53.399529Z [FrontendSSHTransport,57,x.x.x.x] Unhandled Error
        Traceback (most recent call last):
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/log.py", line 96, in callWithLogger
            return callWithContext({"system": lp}, func, *args, **kw)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/log.py", line 80, in callWithContext
            return context.call({ILogContext: newCtx}, func, *args, **kw)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/context.py", line 117, in callWithContext
            return self.currentContext().callWithContext(ctx, func, *args, **kw)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/python/context.py", line 82, in callWithContext
            return func(*args, **kw)
        --- <exception caught here> ---
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/posixbase.py", line 487, in _doReadOrWrite
            why = selectable.doRead()
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/tcp.py", line 248, in doRead
            return self._dataReceived(data)
          File "/home/cowrie/cowrie/cowrie-env/lib/python3.8/site-packages/twisted/internet/tcp.py", line 253, in _dataReceived
            rval = self.protocol.dataReceived(data)
          File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 244, in dataReceived
            self.dispatchMessage(message_num, packet[1:])
          File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 261, in dispatchMessage
            self.packet_buffer(message_num, payload)
          File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/server_transport.py", line 434, in packet_buffer
            self.sshParse.parse_num_packet("[SERVER]", message_num, payload)
          File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/protocols/ssh.py", line 330, in parse_num_packet
            channel = self.get_channel(self.extract_int(4), parent)
          File "/home/cowrie/cowrie/src/cowrie/ssh_proxy/protocols/ssh.py", line 406, in get_channel
            if channel[search] == channel_num:
        builtins.KeyError: 'clientID'

2022-11-15T01:00:53.401422Z [cowrie.ssh_proxy.server_transport.FrontendSSHTransport#info] connection lost

I tried using terminal to log in instead, this however produces different, but still unsuccessful results:

Error message:

dispatch_protocol_error: type 7 seq 7
Connection to x closed by remote host.
Connection to x closed.

Logged events are the same.

Expected behavior After successful authentication cowrie connects attacker with the VM.

Server (please complete the following information):

• OS: Linux cowrie 5.15.0-1022-azure 27~20.04.1-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux
• Python: Python 3.8.10