mirror of https://github.com/cowrie/cowrie.git
182 lines
2.8 KiB
ReStructuredText
182 lines
2.8 KiB
ReStructuredText
Output Event Code Reference
|
|
###########################
|
|
|
|
This guide documents the event id's used by Cowrie that are sent to the output modules, such as the JSON logging module.
|
|
|
|
Reference
|
|
*********
|
|
|
|
Shared Attributes
|
|
=================
|
|
|
|
These attributes are shared by all messages.
|
|
|
|
Attributes:
|
|
|
|
* `message`: human readable message
|
|
* `sensor`: name of the sensor, by default the hostname
|
|
* `timestamp`: timestamp in ISO8601 format in UTC time zone
|
|
* `src_ip`: attacker IP address
|
|
* `session`: unique session identifier
|
|
|
|
cowrie.client.fingerprint
|
|
=========================
|
|
|
|
If the attacker attemps to log in with an SSH public key this is logged here
|
|
|
|
Attributes:
|
|
|
|
* `username`: username
|
|
* `fingerprint`: the key fingerprint
|
|
* `key`: the key
|
|
* `type`: type of key, typically ssh-rsa or ssh-dsa
|
|
|
|
cowrie.login.success
|
|
====================
|
|
|
|
Successful authentication.
|
|
|
|
Attributes:
|
|
|
|
* username
|
|
* password
|
|
|
|
cowrie.login.failed
|
|
===================
|
|
|
|
Failed authentication.
|
|
|
|
Attributes:
|
|
|
|
* username
|
|
* password
|
|
|
|
cowrie.client.size
|
|
===================
|
|
|
|
Width and height of the users terminal as communicated through the SSH protocol.
|
|
|
|
Attributes:
|
|
|
|
* width
|
|
* height
|
|
|
|
cowrie.session.file_upload
|
|
==========================
|
|
|
|
File uploaded to Cowrie, generaly through SFTP or SCP or another way.
|
|
|
|
Attributes:
|
|
|
|
* filename
|
|
* outfile
|
|
* shasum
|
|
|
|
cowrie.command.input
|
|
====================
|
|
|
|
Command line input
|
|
|
|
Attributes:
|
|
|
|
* input
|
|
|
|
|
|
cowrie.virustotal.scanfile
|
|
==========================
|
|
|
|
File sent to VT for scanning
|
|
|
|
Attributes:
|
|
|
|
* sha256
|
|
* is_new
|
|
* positives
|
|
* total
|
|
|
|
cowrie.session.connect
|
|
==========================
|
|
|
|
New connection
|
|
|
|
Attributes:
|
|
|
|
* src_ip
|
|
* src_port
|
|
* dst_ip
|
|
* dst_port
|
|
|
|
cowrie.client.version
|
|
=====================
|
|
|
|
SSH identification string
|
|
|
|
Attributes:
|
|
|
|
* version
|
|
|
|
|
|
cowrie.client.kex
|
|
=====================
|
|
|
|
SSH Key Exchange Attributes
|
|
|
|
Attributes:
|
|
|
|
* hassh
|
|
* hasshAlgorithms
|
|
* kexAlgs
|
|
* keyAlgs
|
|
|
|
cowrie.session.closed
|
|
=====================
|
|
|
|
Session closed
|
|
|
|
Attributes:
|
|
|
|
* duration
|
|
|
|
cowrie.log.closed
|
|
=====================
|
|
|
|
TTY Log closed
|
|
|
|
Attributes:
|
|
|
|
* `duration`: duration of session in seconds
|
|
* `ttylog`: filename of session log that can be replayed with ``bin/playlog``
|
|
* `size`: size in bytes
|
|
* `shasum`: SHA256 checksum of the attacker input only (honeypot generated output is not included)
|
|
* `duplicate`: whether this is the first time this attack has been seen
|
|
|
|
cowrie.direct-tcpip.request
|
|
===========================
|
|
|
|
Request for proxying via the honeypot
|
|
|
|
Attributes:
|
|
|
|
* dst_ip
|
|
* dst_port
|
|
* src_ip
|
|
* src_port
|
|
|
|
cowrie.direct-tcpip.data
|
|
===========================
|
|
|
|
Data attempted to be sent through direct-tcpip forwarding
|
|
|
|
Attributes:
|
|
|
|
* dst_ip
|
|
* dst_port
|
|
|
|
cowrie.client.var
|
|
=================
|
|
|
|
Attributes:
|
|
|
|
* name
|
|
* value
|