2010-10-31 12:20:07 +00:00
|
|
|
#
|
2015-05-12 14:57:29 +00:00
|
|
|
# Cowrie configuration file (cowrie.cfg)
|
2010-10-31 12:20:07 +00:00
|
|
|
#
|
|
|
|
|
|
2009-11-22 06:56:30 +00:00
|
|
|
[honeypot]
|
2010-10-31 12:20:07 +00:00
|
|
|
|
2015-05-12 14:57:29 +00:00
|
|
|
# Sensor name use to identify this cowrie instance. Used by the database
|
2014-12-09 09:25:15 +00:00
|
|
|
# logging modules such as mysql.
|
|
|
|
|
#
|
|
|
|
|
# If not specified, the logging modules will instead use the IP address of the
|
|
|
|
|
# connection as the sensor name.
|
|
|
|
|
#
|
|
|
|
|
# (default: not specified)
|
|
|
|
|
#sensor_name=myhostname
|
|
|
|
|
|
2010-10-31 12:20:07 +00:00
|
|
|
# IP addresses to listen for incoming SSH connections.
|
|
|
|
|
#
|
|
|
|
|
# (default: 0.0.0.0) = any address
|
2015-02-19 06:51:11 +00:00
|
|
|
#listen_addr = 0.0.0.0
|
2010-10-31 12:20:07 +00:00
|
|
|
|
|
|
|
|
# Port to listen for incoming SSH connections.
|
|
|
|
|
#
|
|
|
|
|
# (default: 2222)
|
2015-02-19 06:51:11 +00:00
|
|
|
#listen_port = 2222
|
2010-10-31 12:20:07 +00:00
|
|
|
|
|
|
|
|
# Hostname for the honeypot. Displayed by the shell prompt of the virtual
|
|
|
|
|
# environment.
|
|
|
|
|
#
|
2015-05-13 06:40:21 +00:00
|
|
|
# (default: svr04)
|
|
|
|
|
hostname = svr04
|
2010-10-31 12:20:07 +00:00
|
|
|
|
|
|
|
|
# Directory where to save log files in.
|
|
|
|
|
#
|
|
|
|
|
# (default: log)
|
2009-11-22 06:56:30 +00:00
|
|
|
log_path = log
|
2010-10-31 12:20:07 +00:00
|
|
|
|
|
|
|
|
# Directory where to save downloaded (malware) files in.
|
|
|
|
|
#
|
|
|
|
|
# (default: dl)
|
2009-11-22 06:56:30 +00:00
|
|
|
download_path = dl
|
2010-10-31 12:20:07 +00:00
|
|
|
|
2014-05-30 20:04:44 +00:00
|
|
|
# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'.
|
|
|
|
|
# A value of 0 means no limit. If the file size is known to be too big from the start,
|
|
|
|
|
# the file will not be stored on disk at all.
|
2013-01-08 19:31:20 +00:00
|
|
|
#
|
|
|
|
|
# (default: 0)
|
2014-05-30 20:04:44 +00:00
|
|
|
#download_limit_size = 10485760
|
2013-01-08 19:31:20 +00:00
|
|
|
|
2010-10-31 12:20:07 +00:00
|
|
|
# Directory where virtual file contents are kept in.
|
|
|
|
|
#
|
|
|
|
|
# This is only used by commands like 'cat' to display the contents of files.
|
|
|
|
|
# Adding files here is not enough for them to appear in the honeypot - the
|
|
|
|
|
# actual virtual filesystem is kept in filesystem_file (see below)
|
|
|
|
|
#
|
|
|
|
|
# (default: honeyfs)
|
2009-11-23 14:45:48 +00:00
|
|
|
contents_path = honeyfs
|
2010-10-31 12:20:07 +00:00
|
|
|
|
2014-05-28 04:13:55 +00:00
|
|
|
# File in the python pickle format containing the virtual filesystem.
|
2010-10-31 12:20:07 +00:00
|
|
|
#
|
|
|
|
|
# This includes the filenames, paths, permissions for the whole filesystem,
|
|
|
|
|
# but not the file contents. This is created by the createfs.py utility from
|
|
|
|
|
# a real template linux installation.
|
|
|
|
|
#
|
|
|
|
|
# (default: fs.pickle)
|
2015-05-12 15:17:42 +00:00
|
|
|
filesystem_file = data/fs.pickle
|
2010-10-31 12:20:07 +00:00
|
|
|
|
|
|
|
|
# Directory for miscellaneous data files, such as the password database.
|
|
|
|
|
#
|
|
|
|
|
# (default: data_path)
|
2010-04-14 09:26:04 +00:00
|
|
|
data_path = data
|
2010-10-31 12:20:07 +00:00
|
|
|
|
2015-03-17 22:00:35 +00:00
|
|
|
# Class that implements the checklogin() method.
|
2015-06-23 08:20:38 +00:00
|
|
|
#
|
2015-05-12 14:57:29 +00:00
|
|
|
# Class must be defined in cowrie/core/auth.py
|
2015-03-17 22:00:35 +00:00
|
|
|
# Default is the 'UserDB' class which uses the password database.
|
|
|
|
|
#
|
|
|
|
|
# Alternatively the 'AuthRandom' class can be used, which will let
|
|
|
|
|
# a user login after a random number of attempts.
|
|
|
|
|
# It will also cache username/password combinations that allow login.
|
|
|
|
|
#
|
|
|
|
|
auth_class = UserDB
|
2015-06-23 08:20:38 +00:00
|
|
|
# When AuthRandom is used also set the
|
2015-03-17 22:00:35 +00:00
|
|
|
# auth_class_parameters: <min try>, <max try>, <maxcache>
|
|
|
|
|
# for example: 2, 5, 10 = allows access after randint(2,5) attempts
|
|
|
|
|
# and cache 10 combinations.
|
|
|
|
|
#
|
|
|
|
|
#auth_class = AuthRandom
|
|
|
|
|
#auth_class_parameters = 2, 5, 10
|
|
|
|
|
|
2010-10-31 12:20:07 +00:00
|
|
|
# Directory for creating simple commands that only output text.
|
|
|
|
|
#
|
|
|
|
|
# The command must be placed under this directory with the proper path, such
|
|
|
|
|
# as:
|
|
|
|
|
# txtcmds/usr/bin/vi
|
|
|
|
|
# The contents of the file will be the output of the command when run inside
|
|
|
|
|
# the honeypot.
|
|
|
|
|
#
|
|
|
|
|
# In addition to this, the file must exist in the virtual
|
|
|
|
|
# filesystem {filesystem_file}
|
|
|
|
|
#
|
|
|
|
|
# (default: txtcmds)
|
2010-04-14 09:26:04 +00:00
|
|
|
txtcmds_path = txtcmds
|
2010-10-31 12:20:07 +00:00
|
|
|
|
|
|
|
|
# Public and private SSH key files. If these don't exist, they are created
|
|
|
|
|
# automatically.
|
2014-05-30 04:19:23 +00:00
|
|
|
rsa_public_key = data/ssh_host_rsa_key.pub
|
|
|
|
|
rsa_private_key = data/ssh_host_rsa_key
|
|
|
|
|
dsa_public_key = data/ssh_host_dsa_key.pub
|
|
|
|
|
dsa_private_key = data/ssh_host_dsa_key
|
2010-10-31 12:20:07 +00:00
|
|
|
|
2014-08-18 12:25:10 +00:00
|
|
|
# sftp_enabled enables the sftp subsystem
|
|
|
|
|
sftp_enabled = true
|
|
|
|
|
|
2015-05-13 06:40:21 +00:00
|
|
|
# IP address to bind to when opening outgoing connections. Used by
|
|
|
|
|
# the wget and curl commands.
|
2010-10-31 12:20:07 +00:00
|
|
|
#
|
|
|
|
|
# (default: not specified)
|
|
|
|
|
#out_addr = 0.0.0.0
|
|
|
|
|
|
|
|
|
|
# Fake address displayed as the address of the incoming connection.
|
|
|
|
|
# This doesn't affect logging, and is only used by honeypot commands such as
|
|
|
|
|
# 'w' and 'last'
|
|
|
|
|
#
|
|
|
|
|
# If not specified, the actual IP address is displayed instead (default
|
|
|
|
|
# behaviour).
|
|
|
|
|
#
|
|
|
|
|
# (default: not specified)
|
|
|
|
|
#fake_addr = 192.168.66.254
|
|
|
|
|
|
2015-01-27 11:01:06 +00:00
|
|
|
# The IP address on which this machine reachable on from the internet.
|
2015-05-13 06:40:21 +00:00
|
|
|
# Useful if you use portforwarding or other mechanisms. If empty, cowrie
|
2015-01-27 11:01:06 +00:00
|
|
|
# will determine by itself. Used in 'netstat' output
|
2015-05-13 06:40:21 +00:00
|
|
|
#
|
2015-01-27 11:01:06 +00:00
|
|
|
#internet_facing_ip = 9.9.9.9
|
|
|
|
|
|
2014-05-28 04:13:55 +00:00
|
|
|
# SSH Version String
|
2014-02-16 09:50:41 +00:00
|
|
|
#
|
|
|
|
|
# Use this to disguise your honeypot from a simple SSH version scan
|
|
|
|
|
# frequent Examples: (found experimentally by scanning ISPs)
|
|
|
|
|
# SSH-2.0-OpenSSH_5.1p1 Debian-5
|
2014-05-28 04:13:55 +00:00
|
|
|
# SSH-1.99-OpenSSH_4.3
|
|
|
|
|
# SSH-1.99-OpenSSH_4.7
|
|
|
|
|
# SSH-1.99-Sun_SSH_1.1
|
2014-02-16 09:50:41 +00:00
|
|
|
# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1
|
2014-05-28 04:13:55 +00:00
|
|
|
# SSH-2.0-OpenSSH_4.3
|
|
|
|
|
# SSH-2.0-OpenSSH_4.6
|
2014-02-16 09:50:41 +00:00
|
|
|
# SSH-2.0-OpenSSH_5.1p1 Debian-5
|
|
|
|
|
# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
|
|
|
|
|
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
|
|
|
|
|
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
|
|
|
|
|
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
|
|
|
|
|
# SSH-2.0-OpenSSH_5.5p1 Debian-6
|
|
|
|
|
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
|
|
|
|
|
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
|
|
|
|
|
# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
|
|
|
|
|
# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
|
2015-05-13 06:40:21 +00:00
|
|
|
# SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
|
2014-02-16 09:50:41 +00:00
|
|
|
# SSH-2.0-OpenSSH_5.9
|
|
|
|
|
#
|
2015-05-13 06:40:21 +00:00
|
|
|
# (default: "SSH-2.0-SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2")
|
|
|
|
|
ssh_version_string = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
|
2014-02-16 09:50:41 +00:00
|
|
|
|
2011-02-10 16:33:59 +00:00
|
|
|
# Banner file to be displayed before the first login attempt.
|
|
|
|
|
#
|
2015-02-01 07:47:08 +00:00
|
|
|
#banner_file = DEPRECATED; always '/etc/issue.net' in honeyfs
|
2011-02-10 16:33:59 +00:00
|
|
|
|
2011-10-21 09:29:06 +00:00
|
|
|
# Session management interface.
|
|
|
|
|
#
|
|
|
|
|
# This is a telnet based service that can be used to interact with active
|
|
|
|
|
# sessions. Disabled by default.
|
|
|
|
|
#
|
|
|
|
|
# (default: false)
|
2011-10-21 09:45:54 +00:00
|
|
|
interact_enabled = false
|
2011-10-21 09:29:06 +00:00
|
|
|
# (default: 5123)
|
|
|
|
|
interact_port = 5123
|
|
|
|
|
|
2010-10-31 12:20:07 +00:00
|
|
|
# MySQL logging module
|
|
|
|
|
#
|
|
|
|
|
# Database structure for this module is supplied in doc/sql/mysql.sql
|
|
|
|
|
#
|
|
|
|
|
# To enable this module, remove the comments below, including the
|
|
|
|
|
# [database_mysql] line.
|
2010-10-25 14:57:14 +00:00
|
|
|
|
2010-10-31 12:20:07 +00:00
|
|
|
#[database_mysql]
|
|
|
|
|
#host = localhost
|
2015-05-12 14:57:29 +00:00
|
|
|
#database = cowrie
|
|
|
|
|
#username = cowrie
|
2010-10-31 12:20:07 +00:00
|
|
|
#password = secret
|
2013-01-08 17:39:02 +00:00
|
|
|
#port = 3306
|
2010-12-02 19:39:23 +00:00
|
|
|
|
|
|
|
|
# XMPP Logging
|
|
|
|
|
#
|
|
|
|
|
# Log to an xmpp server.
|
|
|
|
|
# For a detailed explanation on how this works, see: <add url here>
|
|
|
|
|
#
|
|
|
|
|
# To enable this module, remove the comments below, including the
|
|
|
|
|
# [database_xmpp] line.
|
|
|
|
|
|
|
|
|
|
#[database_xmpp]
|
|
|
|
|
#server = sensors.carnivore.it
|
|
|
|
|
#user = anonymous@sensors.carnivore.it
|
|
|
|
|
#password = anonymous
|
|
|
|
|
#muc = dionaea.sensors.carnivore.it
|
2015-05-12 14:57:29 +00:00
|
|
|
#signal_createsession = cowrie-events
|
|
|
|
|
#signal_connectionlost = cowrie-events
|
|
|
|
|
#signal_loginfailed = cowrie-events
|
|
|
|
|
#signal_loginsucceeded = cowrie-events
|
|
|
|
|
#signal_command = cowrie-events
|
|
|
|
|
#signal_clientversion = cowrie-events
|
2010-12-02 19:39:23 +00:00
|
|
|
#debug=true
|
2013-03-29 15:04:52 +00:00
|
|
|
|
|
|
|
|
# Text based logging module
|
|
|
|
|
#
|
|
|
|
|
# While this is a database logging module, it actually just creates a simple
|
|
|
|
|
# text based log. This may not have much purpose, if you're fine with the
|
2015-05-12 14:57:29 +00:00
|
|
|
# default text based logs generated by cowrie in log/
|
2013-03-29 15:04:52 +00:00
|
|
|
#
|
|
|
|
|
# To enable this module, remove the comments below, including the
|
|
|
|
|
# [database_textlog] line.
|
|
|
|
|
|
|
|
|
|
#[database_textlog]
|
2015-05-12 14:57:29 +00:00
|
|
|
#logfile = log/cowrie-textlog.log
|
2014-11-04 10:31:26 +00:00
|
|
|
|
2015-05-12 15:34:53 +00:00
|
|
|
# JSON output module
|
|
|
|
|
[output_jsonlog]
|
2015-05-12 14:57:29 +00:00
|
|
|
logfile = log/cowrie.json
|
2015-03-10 09:29:29 +00:00
|
|
|
|
2015-01-21 21:49:57 +00:00
|
|
|
#[database_hpfeeds]
|
|
|
|
|
#server = hpfeeds.mysite.org
|
|
|
|
|
#port = 10000
|
|
|
|
|
#identifier = abc123
|
|
|
|
|
#secret = secret
|
|
|
|
|
#debug=false
|
