From 58399e9653531bfe02ff84cb2bd04ac1b4646ae8 Mon Sep 17 00:00:00 2001 From: Michel Oosterhof Date: Mon, 14 Nov 2016 11:12:39 +0400 Subject: [PATCH] doc updates --- INSTALL.md | 22 ++++++++++++---------- README.md | 20 ++++++++++---------- 2 files changed, 22 insertions(+), 20 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index e2bd7cb..459ebae 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -16,13 +16,14 @@ ## Step 1: Install dependencies There are two ways to install Cowrie's Python dependencies: in a -Python virtual environment or directly on to the system. The virtual +Python virtual environment or directly on to the system. The virtual environment is preferred as it isolates Cowrie and its dependencies from other Python software on the system. ### Option A: dependencies for virtualenv -This install virtual environments and other dependencies. The actual python packages are installed later. +This installs virtual environment software and other dependencies. +The actual Python packages are installed later. On Debian based systems (tested on Debian 8, 2016-08-30): ``` @@ -103,15 +104,16 @@ $ source cowrie-env/bin/activate ## Step 4: Install configuration file -Take a look at the configuration file and make changes as desired. The defaults work well in most cases. +Take a look at the configuration file and make changes as desired. +The defaults work well in most cases. ``` $ cp etc/cowrie.cfg.dist etc/cowrie.cfg ``` ## Step 5: Generate a DSA key -This step should not be necessary, however some versions of twisted -are not compatible. To avoid problems in advance, run: +This step should not be necessary, however some versions of Twisted +are not compatible. To avoid problems in advance, run: ``` $ cd etc @@ -121,9 +123,9 @@ $ cd .. ## Step 6: Turning on cowrie -Cowrie is implemented as a module for twisted, but to properly +Cowrie is implemented as a module for Twisted, but to properly import everything the top-level source directory needs to be in -python's os.path. This sometimes won't happen correctly, so make +python's os.path. This sometimes won't happen correctly, so make it explicit: ``` @@ -155,7 +157,7 @@ $ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 222 ``` Note that you should test this rule only from another host; it -doesn't apply to loopback connections. Alternatively you can run +doesn't apply to loopback connections. Alternatively you can run authbind to listen as non-root on port 22 directly: ``` @@ -203,8 +205,8 @@ $ ssh-keygen -t rsa -b 2048 -f ssh_host_rsa_key ``` * If you see `twistd: Unknown command: cowrie` there are two -possibilities. If there's a python stack trace, it probably means -there's a missing or broken dependency. If there's no stack trace, +possibilities. If there's a python stack trace, it probably means +there's a missing or broken dependency. If there's no stack trace, double check that your PYTHONPATH is set to the source code directory. * Default file permissions diff --git a/README.md b/README.md index 6cdbbba..d5c16fd 100644 --- a/README.md +++ b/README.md @@ -47,16 +47,16 @@ Software required: ## Files of interest: * `etc/cowrie.cfg` - Cowrie's configuration file. Default values can be found in `etc/cowrie.cfg.dist` -* `data/fs.pickle` - fake filesystem -* `data/userdb.txt` - credentials allowed or disallowed to access the honeypot -* `dl/` - files transferred from the attacker to the honeypot are stored here -* `honeyfs/` - file contents for the fake filesystem - feel free to copy a real system here or use `bin/fsctl` -* `log/cowrie.json` - transaction output in JSON format -* `log/cowrie.log` - log/debug output -* `log/tty/*.log` - session logs -* `txtcmds/` - file contents for the fake commands -* `bin/createfs` - used to create the fake filesystem -* `bin/playlog` - utility to replay session logs +* `etc/userdb.txt` - credentials allowed or disallowed to access the honeypot +* `var/log/cowrie/cowrie.log` - Twisted format log +* `var/log/cowrie/cowrie.json` - transaction output in JSON format +* `var/lib/ttylog/` - session logs UML format +* `var/lib/dl/` - files transferred from the attacker to the honeypot are stored here +* `share/cowrie/fs.pickle` - fake filesystem +* `share/cowrie/txtcmds/` - file contents for fake commands +* `share/cowrie/honeyfs/` - file contents for the fake filesystem +* `bin/createfs` - used to create the honeypot filesystem +* `bin/playlog` - utility to replay session logs in UML format ## Is it secure?