# # Cowrie configuration file (cowrie.cfg) # # ============================================================================ # General Honeypot Options # ============================================================================ [honeypot] # Sensor name is used to identify this Cowrie instance. Used by the database # logging modules such as mysql. # # If not specified, the logging modules will instead use the IP address of the # server as the sensor name. # # (default: not specified) #sensor_name=myhostname # Hostname for the honeypot. Displayed by the shell prompt of the virtual # environment # # (default: svr04) hostname = svr04 # Directory where to save log files in. # # (default: log) log_path = log # Directory where to save downloaded artifacts in. # # (default: dl) download_path = dl # Directory for miscellaneous data files, such as the password database. # # (default: data_path) data_path = data # Directory where virtual file contents are kept in. # # This is only used by commands like 'cat' to display the contents of files. # Adding files here is not enough for them to appear in the honeypot - the # actual virtual filesystem is kept in filesystem_file (see below) # # (default: honeyfs) contents_path = honeyfs # File in the Python pickle format containing the virtual filesystem. # # This includes the filenames, paths, permissions for the Cowrie filesystem, # but not the file contents. This is created by the bin/createfs utility from # a real template linux installation. # # (default: fs.pickle) filesystem_file = data/fs.pickle # Directory for creating simple commands that only output text. # # The command must be placed under this directory with the proper path, such # as: # txtcmds/usr/bin/vi # The contents of the file will be the output of the command when run inside # the honeypot. # # In addition to this, the file must exist in the virtual filesystem # # (default: txtcmds) txtcmds_path = txtcmds # Maximum file size (in bytes) for downloaded files to be stored in 'download_path'. # A value of 0 means no limit. If the file size is known to be too big from the start, # the file will not be stored on disk at all. # # (default: 0) #download_limit_size = 10485760 # TTY logging will log a transcript of the complete terminal interaction in UML # compatible format. # (default: true) ttylog = true # Default directory for TTY logs. # (default: ttylog_path = %(log_path)s/tty) ttylog_path = %(log_path)s/tty # Interactive timeout determines when logged in sessions are # terminated for being idle. In seconds. # (default: 180) interactive_timeout = 180 # EXPERIMENTAL: back-end to user for Cowrie, options: proxy or shell # a limited implementation is available for proxy, with request_exec functionality only # (default: shell) backend = shell # ============================================================================ # Network Specific Options # ============================================================================ # IP address to bind to when opening outgoing connections. Used by wget and # curl commands. # # (default: not specified) #out_addr = 0.0.0.0 # Fake address displayed as the address of the incoming connection. # This doesn't affect logging, and is only used by honeypot commands such as # 'w' and 'last' # # If not specified, the actual IP address is displayed instead (default # behaviour). # # (default: not specified) #fake_addr = 192.168.66.254 # The IP address on which this machine is reachable on from the internet. # Useful if you use portforwarding or other mechanisms. If empty, Cowrie # will determine by itself. Used in 'netstat' output # #internet_facing_ip = 9.9.9.9 # Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1) # IP address is obtained by querying http://myip.threatstream.com #report_public_ip = true # ============================================================================ # Authentication Specific Options # ============================================================================ # Class that implements the checklogin() method. # # Class must be defined in cowrie/core/auth.py # Default is the 'UserDB' class which uses the password database. # # Alternatively the 'AuthRandom' class can be used, which will let # a user login after a random number of attempts. # It will also cache username/password combinations that allow login. # auth_class = UserDB # When AuthRandom is used also set the # auth_class_parameters: , , # for example: 2, 5, 10 = allows access after randint(2,5) attempts # and cache 10 combinations. # #auth_class = AuthRandom #auth_class_parameters = 2, 5, 10 # No authentication checking at all # enabling 'auth_none' will enable the ssh2 'auth_none' authentication method # this allows the requested user in without any verification at all # # (default: false) #auth_none_enabled = false # ============================================================================ # Historical SSH Specific Options # historical options in [honeypot] that have not yet been moved to [ssh] # ============================================================================ # Source Port to report in logs (useful if you use iptables to forward ports to Cowrie) #reported_ssh_port = 22 # ============================================================================ # SSH Specific Options # ============================================================================ [ssh] # Enable SSH support # (default: true) enabled = true # Public and private SSH key files. If these don't exist, they are created # automatically. rsa_public_key = etc/ssh_host_rsa_key.pub rsa_private_key = etc/ssh_host_rsa_key dsa_public_key = etc/ssh_host_dsa_key.pub dsa_private_key = etc/ssh_host_dsa_key # SSH Version String # # Use these to disguise your honeypot from a simple SSH version scan # Examples: # SSH-2.0-OpenSSH_5.1p1 Debian-5 # SSH-1.99-OpenSSH_4.3 # SSH-1.99-OpenSSH_4.7 # SSH-1.99-Sun_SSH_1.1 # SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1 # SSH-2.0-OpenSSH_4.3 # SSH-2.0-OpenSSH_4.6 # SSH-2.0-OpenSSH_5.1p1 Debian-5 # SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901 # SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5 # SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6 # SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 # SSH-2.0-OpenSSH_5.5p1 Debian-6 # SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1 # SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2 # SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503 # SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 # SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 # SSH-2.0-OpenSSH_5.9 # # (default: "SSH-2.0-SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2") version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 # IP addresses to listen for incoming SSH connections. # (DEPRECATED: use listen_endpoints instead) # # (default: 0.0.0.0) = any IPv4 address #listen_addr = 0.0.0.0 # (use :: for listen to all IPv6 and IPv4 addresses) #listen_addr = :: # Port to listen for incoming SSH connections. # (DEPRECATED: use listen_endpoints instead) # # (default: 2222) #listen_port = 2222 # Endpoint to listen on for incoming SSH connections. # See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers # (default: listen_endpoints = tcp:2222:interface=0.0.0.0) # (use systemd: endpoint for systemd activation) # listen_endpoints = systemd:domain=INET:index=0 # For both IPv4 and IPv6: listen_endpoints = tcp6:2222:interface=\:\: listen_endpoints = tcp:2222:interface=0.0.0.0 # Enable the SFTP subsystem # (default: true) sftp_enabled = true # Enable SSH direct-tcpip forwarding # (default: true) forwarding = true # This enables redirecting forwarding requests to another address # Useful for forwarding protocols to other honeypots # (default: false) forward_redirect = false # Configure where to forward the data to. # forward_redirect_ = : # Redirect http/https # forward_redirect_80 = 127.0.0.1:8000 # forward_redirect_443 = 127.0.0.1:8443 # To record SMTP traffic, install an SMTP honeypoint. # (e.g https://github.com/awhitehatter/mailoney), run # python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525 # forward_redirect_25 = 127.0.0.1:12525 # forward_redirect_587 = 127.0.0.1:12525 # ============================================================================ # Telnet Specific Options # ============================================================================ [telnet] # Enable Telnet support, disabled by default enabled = false # IP addresses to listen for incoming Telnet connections. # (DEPRECATED: use listen_endpoints instead) # # (default: 0.0.0.0) = any IPv4 address #listen_addr = 0.0.0.0 # (use :: for listen to all IPv6 and IPv4 addresses) #listen_addr = :: # Port to listen for incoming Telnet connections. # (DEPRECATED: use listen_endpoints instead) # # (default: 2223) #listen_port = 2223 # Endpoint to listen on for incoming Telnet connections. # See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers # (default: listen_endpoints = tcp:2223:interface=0.0.0.0) # (use systemd: endpoint for systemd activation) # listen_endpoints = systemd:domain=INET:index=0 # For IPv4 and IPv6: listen_endpoints = tcp6:2223:interface=\:\: tcp:2223:interface=0.0.0.0 listen_endpoints = tcp:2223:interface=0.0.0.0 # Source Port to report in logs (useful if you use iptables to forward ports to Cowrie) #reported_port = 23 # ============================================================================ # Database logging Specific Options # ============================================================================ # XMPP Logging # Log to an xmpp server. # #[database_xmpp] #server = sensors.carnivore.it #user = anonymous@sensors.carnivore.it #password = anonymous #muc = dionaea.sensors.carnivore.it #signal_createsession = cowrie-events #signal_connectionlost = cowrie-events #signal_loginfailed = cowrie-events #signal_loginsucceeded = cowrie-events #signal_command = cowrie-events #signal_clientversion = cowrie-events #debug=true # ============================================================================ # Output Plugins # These provide an extensible mechanism to send audit log entries to third # parties. The audit entries contain information on clients connecting to # the honeypot. # ============================================================================ # JSON based logging module # [output_jsonlog] logfile = log/cowrie.json # Supports logging to Elasticsearch # This is a simple early release # #[output_elasticsearch] #host = localhost #port = 9200 #index = cowrie #type = cowrie # Send login attemp information to SANS DShield # See https://isc.sans.edu/ssh.html # You must signup for an api key. # Once registered, find your details at: https://isc.sans.edu/myaccount.html # #[output_dshield] #userid = userid_here #auth_key = auth_key_here #batch_size = 100 # Local Syslog output module # # This sends log messages to the local syslog daemon. # Facility can be: # KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7. # # Format can be: # text, cef # #[output_localsyslog] #facility = USER #format = text # Text output # This writes audit log entries to a text file # # Format can be: # text, cef # #[output_textlog] #logfile = log/audit.log #format = text # MySQL logging module # Database structure for this module is supplied in doc/sql/mysql.sql # # MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev # MySQL logging requires an extra Python module: pip install mysql-python # #[output_mysql] #host = localhost #database = cowrie #username = cowrie #password = secret #port = 3306 #debug = false # Rethinkdb output module # Rethinkdb output module requires extra Python module: pip install rethinkdb #[output_rethinkdblog] #host = 127.0.0.1 #port = 28015 #table = output #password = #db = cowrie # SQLite3 logging module # # Logging to SQLite3 database. To init the database, use the script # doc/sql/sqlite3.sql: # sqlite3 < doc/sql/sqlite3.sql # #[output_sqlite] #db_file = cowrie.db # MongoDB logging module # # MongoDB logging requires an extra Python module: pip install pymongo # #[output_mongodb] #connection_string = mongodb://username:password@host:port/database #database = dbname # Splunk SDK output module - Legacy. Requires Splunk API installed # This sends logs directly to Splunk using the Python REST SDK # #[output_splunklegacy] #host = localhost #port = 8889 #username = admin #password = password #index = cowrie # Splunk HTTP Event Collector (HEC) output module # Sends JSON directly to Splunk over HTTPS # mandatory fields: url, token # optional fields: index, source, sourcetype, host # #[output_splunk] #url = https://localhost:8088/services/collector/event #token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8 #index = cowrie #sourcetype = cowrie #source = cowrie # HPFeeds # #[output_hpfeeds] #server = hpfeeds.mysite.org #port = 10000 #identifier = abc123 #secret = secret #debug=false # VirusTotal output module # You must signup for an api key. # #[output_virustotal] #api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef #upload = True #debug = False # Cuckoo output module #[output_cuckoo] # no slash at the end #url_base = http://127.0.0.1:8090 #user = user #passwd = passwd # force will upload duplicated files to cuckoo #force = 0 # upload to MalShare #[output_malshare] #enabled = false #[output_slack] # This will produce a _lot_ of messages - you have been warned.... #channel = channel_that_events_should_be_posted_in #token = slack_token_for_your_bot ##debug=true # https://csirtg.io # You must signup for an api key. # #[output_csirtg] #username=wes #feed=scanners #description=random scanning activity #token=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef #[output_socketlog] #address = 127.0.0.1:9000 #timeout = 5 # Upload files that cowrie has captured to an S3 (or compatible bucket) # Files are stored with a name that is the SHA of their contents # #[output_s3] # # The AWS credentials to use #access_key_id = AKIDEXAMPLE #secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY # # The bucket to store the files in. The bucket must already exist. #bucket = my-cowrie-bucket # # The region the bucket is in #region = eu-west-1 # # An alternate endpoint URL. If you self host a pithos instance you can set # this to its URL (e.g. https://s3.mydomain.com) - can otherwise be blank #endpoint = # # Whether or not to validate the S3 certificate. Set this to 'no' to turn this # off. Do not do this for real AWS. It's only needed for self-hosted S3 clone # where you don't yet have real certificates. #verify = no #[output_influx] #host = 127.0.0.1 #port = 8086 #database_name = cowrie #retention_policy_duration = 12w #[output_redis] #host = 127.0.0.1 #port = 6379 #db = 0 #keyname = cowrie