We have mentioned Kippo a lot on the site, but a nice fork is a program called cowrie. (hxxps://github.com/micheloosterhof/cowrie). It has some nice new features including built-in support for Dshield! Since the install is the same as Kippo, Ill skip that and point you to cowrie install guide for the basics (hxxps://github.com/micheloosterhof/cowrie/blob/master/INSTALL.md).
Dshield Setup
To setup Dshield logs on Ubuntu, you">sudo apt-get install python-dateutil
Then we need to enable the Dshield portion. You need to remove # from the part starting with the plugin name. Youll also need your account info. Once logged into ISC, go to My Accounts - My reports. Select Update info and youll see your auth_key.
">vi /home/cowrie/cowrie.cfg
">batch_size = 100
Once you have this setup, switch to the cowrie user and restart the service.To troubleshoot setup issues, look in /home/cowrie/log/cowrie.log
">fgrep dshield /home/cowrie/cowrie.log
">2016-04-27 00:46:26+0000 [-] Loaded output engine: dshield
AppArmor Setup
To protect the OS, its good to put some additional security controls around it. My honeypot is running on Ubuntu, so I chose apparmor. You can access my cowrie profile on my github at hxxps://goo.gl/6F5FdG. While I could lock it down a bit more, it seems to work well.
Once you downloaded the file, you need to copy it to the AppArmor folder. ">sudo cp /home/user/download/home.cowrie.start.sh /etc/apparmor.d/
">sudo aa-enforce /etc/apparmor.d/home.cowrie.start.sh
Now restart the cowrie service. Then check to see if it">aa-status
">">">">">">">">0 processes are unconfined but have a profile defined.
To get a better understanding of what the actual profile is allowing check out hxxp://wiki.apparmor.net/index.php/QuickProfileLanguage.
Sqlite3 Setup
I run my honeypots on very lean VMs (512mb RAM), so they will not run with MYSQL on them, but to get similar power cowrie has support for sqlite3!
">">">sqlite.read /home/cowrie/doc/sql/sqlite3.sql
">vi /home/cowrie/cowrie.cfg
">db_file = /home/cowrie/cowrie.db
Once you have restarted the service, everything should be ready to go. If you are new to SQLite a few useful commands to get you started are below.
">">">sqlite3 .quit
To access the database and get querying.
">sqlite3 /home/cowrie/cowrie.db
">sqlite
">80ec8485|2016-04-21T19:50:00.662184Z|2016-04-21T19:50:52.884641Z|0|1.1.1.1|59x231|1
">sqlite
">1|80ec8485|1|root|toor|2016-04-21T19:50:05.887822Z
">sqlite
">5|80ec8485|2016-04-21T19:50:52.558221Z||1|exit
Ive enjoyed using cowrie on my latest setup with sqlite3. Its been solid over the last week and have not ran into any issues.
--
Tom Webb
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.