Fixed Cowrie detection (#1530)

* Fixed Cowrie detection by its behaviour. Inspired by https://github.com/blazeinfosec/detect-kippo-cowrie
2021-05-01 06:34:56 +00:00 · 2021-05-01 06:34:56 +00:00 · f2f1b3b150
parent dddde1850a
commit f2f1b3b150
2 changed files with 8 additions and 6 deletions
--- a/src/cowrie/commands/iptables.py
+++ b/src/cowrie/commands/iptables.py
@ -373,7 +373,7 @@ Options:
            self.no_permission()

    def list(self, chain):
-        """ List current rules """
+        """List current rules"""

        if self.user_is_root():
            if len(chain) > 0:
@ -444,7 +444,7 @@ Options:
        self.exit()

    def no_command(self):
-        """ Print no command message and exit """
+        """Print no command message and exit"""

        self.write(
            """%s %s: no command specified'
@ -454,7 +454,7 @@ Try `iptables -h\' or \'iptables --help\' for more information.\n"""
        self.exit()

    def unknown_option(self, option):
-        """ Print unknown option message and exit """
+        """Print unknown option message and exit"""

        self.write(
            """%s %s: unknown option \'%s\''
@ -464,7 +464,7 @@ Try `iptables -h\' or \'iptables --help\' for more information.\n"""
        self.exit()

    def bad_argument(self, argument):
-        """ Print bad argument and exit """
+        """Print bad argument and exit"""

        self.write(
            """Bad argument \'%s\'
--- a/src/cowrie/ssh/transport.py
+++ b/src/cowrie/ssh/transport.py
@ -122,7 +122,8 @@ class HoneyPotSSHTransport(transport.SSHServerTransport, TimeoutMixin):
                        repr(self.otherVersionString)
                    )
                )
-                self.transport.write(b"Protocol mismatch.\n")
+                # OpenSSH sending the same message
+                self.transport.write(b"Invalid SSH identification string.\n")
                self.transport.loseConnection()
                return
            else:
@ -263,7 +264,8 @@ class HoneyPotSSHTransport(transport.SSHServerTransport, TimeoutMixin):
        if b"bad packet length" not in desc:
            transport.SSHServerTransport.sendDisconnect(self, reason, desc)
        else:
-            self.transport.write(b"Packet corrupt\n")
+            # this message is used to detect Cowrie behaviour
+            # self.transport.write(b"Packet corrupt\n")
            log.msg(
                f"[SERVER] - Disconnecting with error, code {reason} reason: {desc}"
            )