# DO NOT EDIT THIS FILE! # Changes to default files will be lost on update and are difficult to # manage and support. # # Please make any changes to system defaults by overriding them in # cowrie.cfg # # To override a specific setting, copy the name of the stanza and # setting to the file where you wish to override it. # ============================================================================ # General Cowrie Options # ============================================================================ [honeypot] # Sensor name is used to identify this Cowrie instance. Used by the database # logging modules such as mysql. # # If not specified, the logging modules will instead use the IP address of the # server as the sensor name. # # (default: not specified) #sensor_name=myhostname # Hostname for the honeypot. Displayed by the shell prompt of the virtual # environment # # (default: svr04) hostname = svr04 # Directory where to save log files in. # # (default: log) log_path = var/log/cowrie # Directory where to save downloaded artifacts in. # # (default: downloads) download_path = ${honeypot:state_path}/downloads # Directory for static data files # # (default: share/cowrie) share_path = share/cowrie # Directory for variable state files # # (default: var/lib/cowrie) state_path = var/lib/cowrie # Directory for config files # # (default: etc) etc_path = etc # Directory where virtual file contents are kept in. # # This is only used by commands like 'cat' to display the contents of files. # Adding files here is not enough for them to appear in the honeypot - the # actual virtual filesystem is kept in filesystem_file (see below) # # (default: honeyfs) contents_path = honeyfs # Directory for creating simple commands that only output text. # # The command must be placed under this directory with the proper path, such # as: # txtcmds/usr/bin/vi # The contents of the file will be the output of the command when run inside # the honeypot. # # In addition to this, the file must exist in the virtual filesystem # # (default: txtcmds) txtcmds_path = txtcmds # Maximum file size (in bytes) for downloaded files to be stored in 'download_path'. # A value of 0 means no limit. If the file size is known to be too big from the start, # the file will not be stored on disk at all. # # (default: 0) #download_limit_size = 10485760 # TTY logging will log a transcript of the complete terminal interaction in UML # compatible format. # (default: true) ttylog = true # Default directory for TTY logs. # (default: ttylog_path = %(state_path)s/tty) ttylog_path = ${honeypot:state_path}/tty # Interactive timeout determines when logged in sessions are # terminated for being idle. In seconds. # (default: 180) interactive_timeout = 180 # Authentication Timeout # The server disconnects after this time if the user has not successfully logged in. If the value is 0, # there is no time limit. The default is 120 seconds. authentication_timeout = 120 # EXPERIMENTAL: back-end to user for Cowrie, options: proxy or shell # (default: shell) backend = shell # Timezone Cowrie uses for logging # This can be any valid timezone for the TZ environment variable # The special value `system` will let Cowrie use the system time zone # `system` is not recommended because you will need to deal with daylight # savings time and other special cases yourself when analysing the logs. timezone = UTC # Custom prompt # By default, Cowrie creates a shell prompt like: root@svr03:~# # If you want something totally custom, uncomment the option below and set your prompt # Beware that the path won't be included in your prompt any longer # prompt = hello> # ============================================================================ # Network Specific Options # ============================================================================ # IP address to bind to when opening outgoing connections. Used by wget and # curl commands. # # (default: not specified) #out_addr = 0.0.0.0 # Fake address displayed as the address of the incoming connection. # This doesn't affect logging, and is only used by honeypot commands such as # 'w' and 'last' # # If not specified, the actual IP address is displayed instead (default # behaviour). # # (default: not specified) #fake_addr = 192.168.66.254 # The IP address on which this machine is reachable on from the internet. # Useful if you use portforwarding or other mechanisms. If empty, Cowrie # will determine by itself. Used in 'netstat' output # #internet_facing_ip = 9.9.9.9 # Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1) # IP address is obtained by querying http://myip.threatstream.com #report_public_ip = true # ============================================================================ # Authentication Specific Options # ============================================================================ # Class that implements the checklogin() method. # # Class must be defined in cowrie/core/auth.py # Default is the 'UserDB' class which uses the password database. # # Alternatively the 'AuthRandom' class can be used, which will let # a user login after a random number of attempts. # It will also cache username/password combinations that allow login. # auth_class = UserDB # When AuthRandom is used also set the # auth_class_parameters: , , # for example: 2, 5, 10 = allows access after randint(2,5) attempts # and cache 10 combinations. # #auth_class = AuthRandom #auth_class_parameters = 2, 5, 10 # ============================================================================ # Historical SSH Specific Options # historical options in [honeypot] that have not yet been moved to [ssh] # ============================================================================ # Source Port to report in logs (useful if you use iptables to forward ports to Cowrie) #reported_ssh_port = 22 [backend_pool] # ============================================================================ # Backend Pool Configurations # only used on the cowrie instance that runs the pool # ============================================================================ # enable this to solely run the pool, regardless of other configurations (disables SSH and Telnet) pool_only = false # time between full VM recycling (cleans older VMs and boots newer ones) - involves some downtime between cycles # -1 to disable recycle_period = 1500 # change interface below to allow connections from outside (e.g. remote pool) listen_endpoints = tcp:6415:interface=127.0.0.1 # guest snapshots save_snapshots = false snapshot_path = ${honeypot:state_path}/snapshots # pool xml configs config_files_path = ${honeypot:share_path}/pool_configs network_config = default_network.xml nw_filter_config = default_filter.xml # ===================================== # Guest details (for a generic x86-64 guest, like Ubuntu) # # Used to provide configuration details to save snapshots, identify # running guests, and provide other details to Cowrie. # - SSH and Telnet ports: which ports are listening for these services in the guest OS; # if you're not using one of them omit the config or set to 0 # - Guest private key: used by the pool to control the guest's state via SSH; guest must # have the corresponding pubkey in root's authorized_keys (not implemented) # ===================================== guest_config = default_guest.xml guest_privkey = ${honeypot:state_path}/ubuntu18.04-guest guest_tag = ubuntu18.04 guest_ssh_port = 22 guest_telnet_port = 23 # Configs below are used on default XMLs provided. # If you provide your own XML in guest_config you don't need these configs. # # Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM, # which is more performant than the qemu software-based emulation. Guest arch # must match your machine's. If it's older or you're unsure, set it to 'qemu'. # # Memory size is in MB. # # Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM # If you get a "unsupported machine type" exception when VMs are loading, change # it to a compatible machine listed by the command: 'qemu-system-x86_64 -machine help' guest_image_path = /home/cowrie/cowrie-imgs/ubuntu18.04-minimal.qcow2 guest_hypervisor = kvm guest_memory = 512 guest_qemu_machine = pc-q35-bionic # ===================================== # Guest details (for OpenWRT with ARM architecture) # # Used to provide configuration details to save snapshots, identify running guests, # and provide other details to Cowrie. # ===================================== #guest_config = wrt_arm_guest.xml #guest_tag = wrt #guest_ssh_port = 22 #guest_telnet_port = 23 # Configs below are used on default XMLs provided. # If you provide your own XML in guest_config you don't need these configs. # # Guest hypervisor can be qemu or kvm, for example. Recent hardware has KVM, # which is more performant than the qemu software-based emulation. Guest arch # must match your machine's. # # Memory size is in MB. # # Advanced: guest_qemu_machine defines which machine Qemu emulates for your VM # If you get a "unsupported machine type" exception when VMs are loading, change # it to a compatible machine listed by the command: 'qemu-system-arm -machine help' #guest_image_path = /home/cowrie/cowrie-imgs/root.qcow2 #guest_hypervisor = qemu #guest_memory = 256 #guest_kernel_image = /home/cowrie/cowrie-imgs/zImage #guest_qemu_machine = virt-2.9 # ===================================== # Other configs # ===================================== # Use NAT (for remote pool) # # Guests exist in a local interface created by libvirt; NAT functionality creates a port in the host, # exposed to a public interface, and forwards TCP data to and from the libvirt private interface. # Cowrie's proxy receives the public information instead of the local IP of guests. use_nat = true nat_public_ip = 192.168.1.40 # ============================================================================ # Proxy Options # ============================================================================ [proxy] # type of backend: # - simple: backend machine deployed by you (CAREFUL WITH SECURITY ASPECTS!!), specify hosts and ports below # - pool: cowrie-managed pool of virtual machines, configure below backend = pool # ===================================== # Simple Backend Configuration # ===================================== backend_ssh_host = localhost backend_ssh_port = 2022 backend_telnet_host = localhost backend_telnet_port = 2023 # ===================================== # Pool Backend Configuration # ===================================== # generic pool configurable settings pool_max_vms = 5 pool_vm_unused_timeout = 600 # allow sharing guests between different attackers if no new VMs are available pool_share_guests = true # Where to deploy the backend pool (only if backend = pool) # - "local": same machine as the proxy # - "remote": set host and port of the pool below pool = local # Remote pool configurations (used with pool=remote) pool_host = 192.168.1.40 pool_port = 6415 # ===================================== # Proxy Configurations # ===================================== # real credentials to log into backend backend_user = root backend_pass = root # Telnet prompt detection # # To detect authentication prompts (and spoof auth details to the ones the backend accepts) we need to capture # login and password prompts, and spoof data to the backend in order to successfully authenticate. If disabled, # attackers can only use the real user credentials of the backend. telnet_spoof_authentication = true # These regex were made using Ubuntu 18.04; you have to adapt these for the prompts # from your backend. You can enable raw logging above to analyse data passing through # and identify the format of the prompts you need. # You should generally include ".*" at the beginning and end of prompts, since Telnet messages can contain # more data than the prompt. # For login it is usually login: telnet_username_prompt_regex = (\n|^)ubuntu login: .* # Password prompt is usually only the word Password telnet_password_prompt_regex = .*Password: .* # This data is sent by clients at the beginning of negotiation (before the password prompt), and contains the username # that is trying to log in. We replace that username with the one in "backend_user" to allow the chance of a successful # login after the first password prompt. We are only able to check if credentials are allowed after the password is # inserted. If they are, then a correct username was already sent and authentication succeeds; if not, we send a fake # password to force authentication to fail. telnet_username_in_negotiation_regex = (.*\xff\xfa.*USER\x01)(.*?)(\xff.*) # Other configs # # log raw TCP packets in SSh and Telnet log_raw = false # ============================================================================ # Shell Options # Options around Cowrie's Shell Emulation # ============================================================================ [shell] # File in the Python pickle format containing the virtual filesystem. # # This includes the filenames, paths, permissions for the Cowrie filesystem, # but not the file contents. This is created by the bin/createfs utility from # a real template linux installation. # # (default: fs.pickle) filesystem = ${honeypot:share_path}/fs.pickle # File that contains output for the `ps` command. # # (default: share/cowrie/cmdoutput.json) processes = share/cowrie/cmdoutput.json # Fake architectures/OS # When Cowrie receive a command like /bin/cat XXXX (where XXXX is an executable) # it replies with the content of a dummy executable (located in data_path/arch) # compiled for an architecture/OS/endian_mode # arch can be a comma separated list. When there are multiple elements, a random # is chosen at login time. # (default: linux-x64-lsb) arch = linux-x64-lsb # Here the list of supported OS-ARCH-ENDIANESS executables # bsd-aarch64-lsb: 64-bit LSB ARM aarch64 version 1 (SYSV) # bsd-aarch64-msb: 64-bit MSB ARM aarch64 version 1 (SYSV) # bsd-bfin-msb: 32-bit MSB Analog Devices Blackfin version 1 (SYSV) # bsd-mips64-lsb: 64-bit LSB MIPS MIPS-III version 1 (SYSV) # bsd-mips64-msb: 64-bit MSB MIPS MIPS-III version 1 (SYSV) # bsd-mips-lsb: 32-bit LSB MIPS MIPS-I version 1 (FreeBSD) # bsd-mips-msb: 32-bit MSB MIPS MIPS-I version 1 (FreeBSD) # bsd-powepc64-lsb: 64-bit MSB 64-bit PowerPC or cisco 7500 version 1 (FreeBSD) # bsd-powepc-msb: 32-bit MSB PowerPC or cisco 4500 version 1 (FreeBSD) # bsd-riscv64-lsb: 64-bit LSB UCB RISC-V version 1 (SYSV) # bsd-sparc64-msb: 64-bit MSB SPARC V9 relaxed memory ordering version 1 (FreeBSD) # bsd-sparc-msb: 32-bit MSB SPARC version 1 (SYSV) statically # bsd-x32-lsb: 32-bit LSB Intel 80386 version 1 (FreeBSD) # bsd-x64-lsb: 64-bit LSB x86-64 version 1 (FreeBSD) # linux-aarch64-lsb: 64-bit LSB ARM aarch64 version 1 (SYSV) # linux-aarch64-msb: 64-bit MSB ARM aarch64 version 1 (SYSV) # linux-alpha-lsb: 64-bit LSB Alpha (unofficial) version 1 (SYSV) # linux-am33-lsb: 32-bit LSB Matsushita MN10300 version 1 (SYSV) # linux-arc-lsb: 32-bit LSB ARC Cores Tangent-A5 version 1 (SYSV) # linux-arc-msb: 32-bit MSB ARC Cores Tangent-A5 version 1 (SYSV) # linux-arm-lsb: 32-bit LSB ARM EABI5 version 1 (SYSV) # linux-arm-msb: 32-bit MSB ARM EABI5 version 1 (SYSV) # linux-avr32-lsb: 32-bit LSB Atmel AVR 8-bit version 1 (SYSV) # linux-bfin-lsb: 32-bit LSB Analog Devices Blackfin version 1 (SYSV) # linux-c6x-lsb: 32-bit LSB TI TMS320C6000 DSP family version 1 # linux-c6x-msb: 32-bit MSB TI TMS320C6000 DSP family version 1 # linux-cris-lsb: 32-bit LSB Axis cris version 1 (SYSV) # linux-frv-msb: 32-bit MSB Cygnus FRV (unofficial) version 1 (SYSV) # linux-h8300-msb: 32-bit MSB Renesas H8/300 version 1 (SYSV) # linux-hppa64-msb: 64-bit MSB PA-RISC 02.00.00 (LP64) version 1 # linux-hppa-msb: 32-bit MSB PA-RISC *unknown arch 0xf* version 1 (GNU/Linux) # linux-ia64-lsb: 64-bit LSB IA-64 version 1 (SYSV) # linux-m32r-msb: 32-bit MSB Renesas M32R version 1 (SYSV) # linux-m68k-msb: 32-bit MSB Motorola m68k 68020 version 1 (SYSV) # linux-microblaze-msb: 32-bit MSB Xilinx MicroBlaze 32-bit RISC version 1 (SYSV) # linux-mips64-lsb: 64-bit LSB MIPS MIPS-III version 1 (SYSV) # linux-mips64-msb: 64-bit MSB MIPS MIPS-III version 1 (SYSV) # linux-mips-lsb: 32-bit LSB MIPS MIPS-I version 1 (SYSV) # linux-mips-msb: 32-bit MSB MIPS MIPS-I version 1 (SYSV) # linux-mn10300-lsb: 32-bit LSB Matsushita MN10300 version 1 (SYSV) # linux-nios-lsb: 32-bit LSB Altera Nios II version 1 (SYSV) # linux-nios-msb: 32-bit MSB Altera Nios II version 1 (SYSV) # linux-powerpc64-lsb: 64-bit LSB 64-bit PowerPC or cisco 7500 version 1 (SYSV) # linux-powerpc64-msb: 64-bit MSB 64-bit PowerPC or cisco 7500 version 1 (SYSV) # linux-powerpc-lsb: 32-bit LSB PowerPC or cisco 4500 version 1 (SYSV) # linux-powerpc-msb: 32-bit MSB PowerPC or cisco 4500 version 1 (SYSV) # linux-riscv64-lsb: 64-bit LSB UCB RISC-V version 1 (SYSV) # linux-s390x-msb: 64-bit MSB IBM S/390 version 1 (SYSV) # linux-sh-lsb: 32-bit LSB Renesas SH version 1 (SYSV) # linux-sh-msb: 32-bit MSB Renesas SH version 1 (SYSV) # linux-sparc64-msb: 64-bit MSB SPARC V9 relaxed memory ordering version 1 (SYSV) # linux-sparc-msb: 32-bit MSB SPARC version 1 (SYSV) # linux-tilegx64-lsb: 64-bit LSB Tilera TILE-Gx version 1 (SYSV) # linux-tilegx64-msb: 64-bit MSB Tilera TILE-Gx version 1 (SYSV) # linux-tilegx-lsb: 32-bit LSB Tilera TILE-Gx version 1 (SYSV) # linux-tilegx-msb: 32-bit MSB Tilera TILE-Gx version 1 (SYSV) # linux-x64-lsb: 64-bit LSB x86-64 version 1 (SYSV) # linux-x86-lsb: 32-bit LSB Intel 80386 version 1 (SYSV) # linux-xtensa-msb: 32-bit MSB Tensilica Xtensa version 1 (SYSV) # osx-x32-lsb: 32-bit LSB Intel 80386 # osx-x64-lsb: 64-bit LSB x86-64 # arch = bsd-aarch64-lsb, bsd-aarch64-msb, bsd-bfin-msb, bsd-mips-lsb, bsd-mips-msb, bsd-mips64-lsb, bsd-mips64-msb, bsd-powepc-msb, bsd-powepc64-lsb, bsd-riscv64-lsb, bsd-sparc-msb, bsd-sparc64-msb, bsd-x32-lsb, bsd-x64-lsb, linux-aarch64-lsb, linux-aarch64-msb, linux-alpha-lsb, linux-am33-lsb, linux-arc-lsb, linux-arc-msb, linux-arm-lsb, linux-arm-msb, linux-avr32-lsb, linux-bfin-lsb, linux-c6x-lsb, linux-c6x-msb, linux-cris-lsb, linux-frv-msb, linux-h8300-msb, linux-hppa-msb, linux-hppa64-msb, linux-ia64-lsb, linux-m32r-msb, linux-m68k-msb, linux-microblaze-msb, linux-mips-lsb, linux-mips-msb, linux-mips64-lsb, linux-mips64-msb, linux-mn10300-lsb, linux-nios-lsb, linux-nios-msb, linux-powerpc-lsb, linux-powerpc-msb, linux-powerpc64-lsb, linux-powerpc64-msb, linux-riscv64-lsb, linux-s390x-msb, linux-sh-lsb, linux-sh-msb, linux-sparc-msb, linux-sparc64-msb, linux-tilegx-lsb, linux-tilegx-msb, linux-tilegx64-lsb, linux-tilegx64-msb, linux-x64-lsb, linux-x86-lsb, linux-xtensa-msb, osx-x32-lsb, osx-x64-lsb # Modify the response of '/bin/uname' # Default (uname -a): Linux kernel_version = 3.2.0-4-amd64 kernel_build_string = #1 SMP Debian 3.2.68-1+deb7u1 hardware_platform = x86_64 operating_system = GNU/Linux # SSH Version as printed by "ssh -V" in shell emulation ssh_version = OpenSSH_7.9p1, OpenSSL 1.1.1a 20 Nov 2018 # ============================================================================ # SSH Specific Options # ============================================================================ [ssh] # Enable SSH support # (default: true) enabled = true # Public and private SSH key files. If these don't exist, they are created # automatically. rsa_public_key = ${honeypot:state_path}/ssh_host_rsa_key.pub rsa_private_key = ${honeypot:state_path}/ssh_host_rsa_key dsa_public_key = ${honeypot:state_path}/ssh_host_dsa_key.pub dsa_private_key = ${honeypot:state_path}/ssh_host_dsa_key # SSH version string as present to the client. # # Version string MUST start with SSH-2.0- or SSH-1.99- # # Use these to disguise your honeypot from a simple SSH version scan # Examples: # SSH-2.0-OpenSSH_5.1p1 Debian-5 # SSH-1.99-OpenSSH_4.3 # SSH-1.99-OpenSSH_4.7 # SSH-1.99-Sun_SSH_1.1 # SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1 # SSH-2.0-OpenSSH_4.3 # SSH-2.0-OpenSSH_4.6 # SSH-2.0-OpenSSH_5.1p1 Debian-5 # SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901 # SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5 # SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6 # SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 # SSH-2.0-OpenSSH_5.5p1 Debian-6 # SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1 # SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2 # SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503 # SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 # SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 # SSH-2.0-OpenSSH_5.9 # # (default: "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2") version = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 # Cipher encryption algorithms to be used. # # MUST be supplied as a comma-separated string without # any spaces or newlines. # # Use ciphers to limit to more secure algorithms only # any spaces. # Supported ciphers: # # aes128-ctr # aes192-ctr # aes256-ctr # aes256-cbc # aes192-cbc # aes128-cbc # 3des-cbc # blowfish-cbc # cast128-cbc ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc # MAC Algorithm to be used. # # MUST be supplied as a comma-separated string without # any spaces or newlines. # # hmac-sha1 and hmac-md5 are considered insecure now, and # instead MACs with higher number of bits should be used. # # Supported HMACs: # hmac-sha2-512 # hmac-sha2-384 # hmac-sha2-256 # hmac-sha1 # hmac-md5 macs = hmac-sha2-512,hmac-sha2-384,hmac-sha2-56,hmac-sha1,hmac-md5 # Compression Method to be used. # # MUST be supplied as a comma-separated string without # any spaces or newlines. # # Supported Compression Methods: # zlib@openssh.com # zlib # none compression = zlib@openssh.com,zlib,none # Endpoint to listen on for incoming SSH connections. # See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers # (default: listen_endpoints = tcp:2222:interface=0.0.0.0) # (use systemd: endpoint for systemd activation) # listen_endpoints = systemd:domain=INET:index=0 # For both IPv4 and IPv6: listen_endpoints = tcp6:2222:interface=\:\: # Listening on multiple endpoints is supported with a single space seperator # e.g listen_endpoints = "tcp:2222:interface=0.0.0.0 tcp:1022:interface=0.0.0.0" will result listening both on ports 2222 and 1022 # use authbind for port numbers under 1024 listen_endpoints = tcp:2222:interface=0.0.0.0 # Enable the SFTP subsystem # (default: true) sftp_enabled = true # Enable SSH direct-tcpip forwarding # (default: true) forwarding = true # This enables redirecting forwarding requests to another address # Useful for forwarding protocols to other honeypots # (default: false) forward_redirect = false # Configure where to forward the data to. # forward_redirect_ = : # Redirect http/https # forward_redirect_80 = 127.0.0.1:8000 # forward_redirect_443 = 127.0.0.1:8443 # To record SMTP traffic, install an SMTP honeypoint. # (e.g https://github.com/awhitehatter/mailoney), run # python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525 # forward_redirect_25 = 127.0.0.1:12525 # forward_redirect_587 = 127.0.0.1:12525 # This enables tunneling forwarding requests to another address # Useful for forwarding protocols to a proxy like Squid # (default: false) forward_tunnel = false # Configure where to tunnel the data to. # forward_tunnel_ = : # Tunnel http/https # forward_tunnel_80 = 127.0.0.1:3128 # forward_tunnel_443 = 127.0.0.1:3128 # No authentication checking at all # enabling 'auth_none' will enable the ssh2 'auth_none' authentication method # this allows the requested user in without any verification at all # # (default: false) #auth_none_enabled = false # Configure keyboard-interactive login auth_keyboard_interactive_enabled = false # ============================================================================ # Telnet Specific Options # ============================================================================ [telnet] # Enable Telnet support, disabled by default enabled = false # Endpoint to listen on for incoming Telnet connections. # See https://twistedmatrix.com/documents/current/core/howto/endpoints.html#servers # (default: listen_endpoints = tcp:2223:interface=0.0.0.0) # (use systemd: endpoint for systemd activation) # listen_endpoints = systemd:domain=INET:index=0 # For IPv4 and IPv6: listen_endpoints = tcp6:2223:interface=\:\: tcp:2223:interface=0.0.0.0 # Listening on multiple endpoints is supported with a single space seperator # e.g "listen_endpoints = tcp:2223:interface=0.0.0.0 tcp:2323:interface=0.0.0.0" will result listening both on ports 2223 and 2323 # use authbind for port numbers under 1024 listen_endpoints = tcp:2223:interface=0.0.0.0 # Source Port to report in logs (useful if you use iptables to forward ports to Cowrie) #reported_port = 23 # ============================================================================ # Database logging Specific Options # ============================================================================ # XMPP Logging # Log to an xmpp server. # #[database_xmpp] #server = sensors.carnivore.it #user = anonymous@sensors.carnivore.it #password = anonymous #muc = dionaea.sensors.carnivore.it #signal_createsession = cowrie-events #signal_connectionlost = cowrie-events #signal_loginfailed = cowrie-events #signal_loginsucceeded = cowrie-events #signal_command = cowrie-events #signal_clientversion = cowrie-events #debug=true # ============================================================================ # Output Plugins # These provide an extensible mechanism to send audit log entries to third # parties. The audit entries contain information on clients connecting to # the honeypot. # # Output entries need to start with 'output_' and have the 'enabled' entry. # ============================================================================ #[output_xmpp] #enabled=true #server = conference.cowrie.local #user = cowrie@cowrie.local #password = cowrie #muc = hacker_room # JSON based logging module # [output_jsonlog] enabled = true logfile = ${honeypot:log_path}/cowrie.json epoch_timestamp = false # Supports logging to Elasticsearch # This is a simple early release # #[output_elasticsearch] #enabled = false #host = localhost #port = 9200 #index = cowrie # type has been deprecated since ES 6.0.0 # use _doc which is the default type. See # https://stackoverflow.com/a/53688626 for # more information #type = _doc # set pipeline = geoip to map src_ip to # geo location data. You can use a custom # pipeline but you must ensure it exists # in elasticsearch. #pipeline = geoip # # Authentication. When x-pack.security is enabled # in ES, default users have been created and requests # must be authenticated. # # Credentials #username = elastic #password = # # TLS encryption. Communications between the client (cowrie) # and the ES server should naturally be protected by encryption # if requests are authenticated (to prevent from man-in-the-middle # attacks). The following options are then paramount # if username and password are provided. # # use ssl/tls #ssl = true # Path to trusted CA certs on disk #ca_certs = /cowrie/cowrie-git/etc/elastic_ca.crt # verify SSL certificates #verify_certs = true # Send login attemp information to SANS DShield # See https://isc.sans.edu/ssh.html # You must signup for an api key. # Once registered, find your details at: https://isc.sans.edu/myaccount.html # #[output_dshield] #userid = userid_here #auth_key = auth_key_here #batch_size = 100 #enabled = false # Local Syslog output module # # This sends log messages to the local syslog daemon. # Facility can be: # KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7. # # Format can be: # text, cef # #[output_localsyslog] #enabled = false #facility = USER #format = text # Text output # This writes audit log entries to a text file # # Format can be: # text, cef # #[output_textlog] #enabled = false #logfile = ${honeypot:log_path}/audit.log #format = text # MySQL logging module # Database structure for this module is supplied in docs/sql/mysql.sql # # MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev # MySQL logging requires an extra Python module: pip install mysql-python # #[output_mysql] #enabled = false #host = localhost #database = cowrie #username = cowrie #password = secret #port = 3306 #debug = false # Rethinkdb output module # Rethinkdb output module requires extra Python module: pip install rethinkdb #[output_rethinkdblog] #enabled = false #host = 127.0.0.1 #port = 28015 #table = output #password = #db = cowrie # SQLite3 logging module # # Logging to SQLite3 database. To init the database, use the script # docs/sql/sqlite3.sql: # sqlite3 < docs/sql/sqlite3.sql # #[output_sqlite] #enabled = false #db_file = cowrie.db # MongoDB logging module # # MongoDB logging requires an extra Python module: pip install pymongo # #[output_mongodb] #enabled = false #connection_string = mongodb://username:password@host:port/database #database = dbname # Splunk HTTP Event Collector (HEC) output module # sends JSON directly to Splunk over HTTP or HTTPS # Use 'https' if your HEC is encrypted, else 'http' # mandatory fields: url, token # optional fields: index, source, sourcetype, host # #[output_splunk] #enabled = false #url = https://localhost:8088/services/collector/event #token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8 #index = cowrie #sourcetype = cowrie #source = cowrie # HPFeeds # #[output_hpfeeds3] #enabled = false #server = hpfeeds.mysite.org #port = 10000 #identifier = abc123 #secret = secret #debug = false # HPFeeds3 # Python3 implementation of HPFeeds #[output_hpfeeds3] #enabled = false #server = hpfeeds.mysite.org #port = 10000 #identifier = abc123 #secret = secret #debug=false # VirusTotal output module # You must signup for an api key. # #[output_virustotal] #enabled = false #api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef #upload = True #debug = False #scan_file = True #scan_url = False # Cuckoo output module #[output_cuckoo] #enabled = false # no slash at the end #url_base = http://127.0.0.1:8090 #user = user #passwd = passwd # force will upload duplicated files to cuckoo #force = 0 # upload to MalShare #[output_malshare] #enabled = false # This will produce a _lot_ of messages - you have been warned.... #[output_slack] #enabled = false #channel = channel_that_events_should_be_posted_in #token = slack_token_for_your_bot #debug = false # https://csirtg.io # You must signup for an api key. # #[output_csirtg] #enabled = false #username = wes #feed = scanners #description = random scanning activity #token = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef #[output_socketlog] #enabled = false #address = 127.0.0.1:9000 #timeout = 5 # Upload files that cowrie has captured to an S3 (or compatible bucket) # Files are stored with a name that is the SHA of their contents # #[output_s3] # # The AWS credentials to use. # Leave these blank to use botocore's credential discovery e.g .aws/config or ENV variables. # As per https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L50-L65 #access_key_id = AKIDEXAMPLE #secret_access_key = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY # # The bucket to store the files in. The bucket must already exist. #bucket = my-cowrie-bucket # # The region the bucket is in #region = eu-west-1 # # An alternate endpoint URL. If you self host a pithos instance you can set # this to its URL (e.g. https://s3.mydomain.com) - can otherwise be blank #endpoint = # # Whether or not to validate the S3 certificate. Set this to 'no' to turn this # off. Do not do this for real AWS. It's only needed for self-hosted S3 clone # where you don't yet have real certificates. #verify = no #[output_influx] #enabled = false #host = 127.0.0.1 #port = 8086 #database_name = cowrie #retention_policy_duration = 12w [output_kafka] enabled = false host = 127.0.0.1 port = 9092 topic = cowrie #[output_redis] #enabled = false #host = 127.0.0.1 #port = 6379 # DB of the redis server. Defaults to 0 #db = 0 # Password of the redis server. Defaults to None #password = secret # Name of the list to push to or the channel to publish to. Required #keyname = cowrie # Method to use when sending data to redis. # Can be one of [lpush, rpush, publish]. Defaults to lpush #send_method = lpush # Perform Reverse DNS lookup #[output_reversedns] #enabled = true # Timeout in seconds #timeout = 3 #[output_greynoise] #enabled = true #debug=False # Name of the tags separated by comma, for which the IP has to be scanned for. # Example "SHODAN,JBOSS_WORM,CPANEL_SCANNER_LOW" # If there isn't any specific tag then just leave it "all" #tags = all # It's optional to have API key, so if you don't want to but # API key then leave this option commented #api_key = 1234567890 # Upload all files to a MISP instance of your liking. # The API key can be found under Event Actions -> Automation #[output_misp] #enabled = true #base_url = https://misp.somedomain.com #api_key = secret_key #verify_cert = true #publish_event = true #debug = false # The crashreporter sends data on Python exceptions to api.cowrie.org # To disable set `enabled = false` in cowrie.cfg [output_crashreporter] enabled = false debug = false # Reports login attempts to AbuseIPDB. A short guide is in the original # pull request on GitHub: https://github.com/cowrie/cowrie/pull/1346 #[output_abuseipdb] #enabled = true #api_key = #rereport_after = 24 #tolerance_window is in minutes #tolerance_window = 120 #tolerance_attempts = 10 # WARNING: A binary file is read from this directory on start-up. Do not # change unless you understand the security implications! #dump_path = ${honeypot:state_path}/abuseipdb