Rooba
/
cowrie
mirror of https://github.com/cowrie/cowrie.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cowrie/docs/OUTPUT.rst

182 lines
2.8 KiB
ReStructuredText
Raw Normal View History

7may (#1558) * restructure documentation headings * add output eventid reference guide * rename all classes with capitals * more typing
2021-05-08 16:45:12 +00:00
Output Event Code Reference
###########################
This guide documents the event id's used by Cowrie that are sent to the output modules, such as the JSON logging module.
Reference
*********
Shared Attributes
=================
These attributes are shared by all messages.
Attributes:
* `message`: human readable message
* `sensor`: name of the sensor, by default the hostname
* `timestamp`: timestamp in ISO8601 format in UTC time zone
* `src_ip`: attacker IP address
* `session`: unique session identifier
cowrie.client.fingerprint
=========================
If the attacker attemps to log in with an SSH public key this is logged here
Attributes:
* `username`: username
* `fingerprint`: the key fingerprint
* `key`: the key
* `type`: type of key, typically ssh-rsa or ssh-dsa
cowrie.login.success
====================
Successful authentication.
Attributes:
* username
* password
cowrie.login.failed
===================
Failed authentication.
Attributes:
* username
* password
cowrie.client.size
===================
Width and height of the users terminal as communicated through the SSH protocol.
Attributes:
* width
* height
cowrie.session.file_upload
==========================
File uploaded to Cowrie, generaly through SFTP or SCP or another way.
Attributes:
* filename
* outfile
* shasum
cowrie.command.input
====================
Command line input
Attributes:
* input
cowrie.virustotal.scanfile
==========================
File sent to VT for scanning
Attributes:
* sha256
* is_new
* positives
* total
cowrie.session.connect
==========================
New connection
Attributes:
* src_ip
* src_port
* dst_ip
* dst_port
cowrie.client.version
=====================
SSH identification string
Attributes:
* version
cowrie.client.kex
=====================
SSH Key Exchange Attributes
Attributes:
* hassh
* hasshAlgorithms
* kexAlgs
* keyAlgs
cowrie.session.closed
=====================
Session closed
Attributes:
* duration
cowrie.log.closed
=====================
TTY Log closed
Attributes:
* `duration`: duration of session in seconds
* `ttylog`: filename of session log that can be replayed with ``bin/playlog``
* `size`: size in bytes
* `shasum`: SHA256 checksum of the attacker input only (honeypot generated output is not included)
* `duplicate`: whether this is the first time this attack has been seen
cowrie.direct-tcpip.request
===========================
Request for proxying via the honeypot
Attributes:
* dst_ip
* dst_port
* src_ip
* src_port
cowrie.direct-tcpip.data
===========================
Data attempted to be sent through direct-tcpip forwarding
Attributes:
* dst_ip
* dst_port
cowrie.client.var
=================
Attributes:
* name
* value