From af1d3d994abdb12167efa0e43c2b60f0e84847ad Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Thu, 21 Jan 2016 10:58:38 +0000 Subject: [PATCH] Renamed Events (See #89) --- cowrie/commands/base.py | 18 ++++++++++------ cowrie/commands/busybox.py | 5 +++-- cowrie/commands/curl.py | 14 +++++++++---- cowrie/commands/fs.py | 14 ++++++++----- cowrie/commands/scp.py | 6 ++++-- cowrie/commands/sudo.py | 5 +++-- cowrie/commands/wget.py | 14 +++++++++---- cowrie/core/checkers.py | 18 ++++++++-------- cowrie/core/dblog.py | 41 ++++++++++++------------------------- cowrie/core/fs.py | 7 +++++-- cowrie/core/honeypot.py | 4 ++-- cowrie/core/output.py | 41 +++++++++++++++++++------------------ cowrie/insults/insults.py | 20 +++++++++++------- cowrie/output/dshield.py | 2 +- cowrie/output/mysql.py | 24 +++++++++++----------- cowrie/output/virustotal.py | 2 +- cowrie/ssh/filetransfer.py | 2 +- cowrie/ssh/forwarding.py | 4 ++-- cowrie/ssh/session.py | 4 ++-- cowrie/ssh/transport.py | 6 +++--- 20 files changed, 137 insertions(+), 114 deletions(-) diff --git a/cowrie/commands/base.py b/cowrie/commands/base.py index b5950e9..6efd308 100644 --- a/cowrie/commands/base.py +++ b/cowrie/commands/base.py @@ -322,8 +322,10 @@ class command_passwd(HoneyPotCommand): def lineReceived(self, line): """ """ - log.msg( eventid='COW0008', realm='passwd', input=line, - format='INPUT (%(realm)s): %(input)s' ) + log.msg(eventid='cowrie.session.file_download', + realm='passwd', + input=line, + format='INPUT (%(realm)s): %(input)s') self.password = line.strip() self.callbacks.pop(0)(line) commands['/usr/bin/passwd'] = command_passwd @@ -585,8 +587,10 @@ class command_perl(HoneyPotCommand): def lineReceived(self, line): """ """ - log.msg( eventid='COW0008', realm='perl', input=line, - format='INPUT (%(realm)s): %(input)s' ) + log.msg(eventid='cowrie.session.file_download', + realm='perl', + input=line, + format='INPUT (%(realm)s): %(input)s') def handle_CTRL_D(self): @@ -665,8 +669,10 @@ class command_php(HoneyPotCommand): def lineReceived(self, line): """ """ - log.msg( eventid='COW0008', realm='php', input=line, - format='INPUT (%(realm)s): %(input)s' ) + log.msg(eventid='cowrie.session.file_download', + realm='php', + input=line, + format='INPUT (%(realm)s): %(input)s' ) def handle_CTRL_D(self): diff --git a/cowrie/commands/busybox.py b/cowrie/commands/busybox.py index cde3123..fa5eeff 100644 --- a/cowrie/commands/busybox.py +++ b/cowrie/commands/busybox.py @@ -69,8 +69,9 @@ class command_busybox(HoneyPotCommand): cmdclass = self.protocol.getCommand(cmd, self.environ['PATH'].split(':')) if cmdclass: - log.msg(eventid='COW0005', input=line, - format='Command found: %(input)s') + log.msg(eventid='cowrie.command.success', + input=line, + format='Command found: %(input)s') self.protocol.call_command(cmdclass, *args) else: self.help() diff --git a/cowrie/commands/curl.py b/cowrie/commands/curl.py index 9ef46ab..d2486e2 100644 --- a/cowrie/commands/curl.py +++ b/cowrie/commands/curl.py @@ -312,11 +312,17 @@ Options: (H) means HTTP/HTTPS only, (F) means FTP only os.remove(self.safeoutfile) log.msg("Not storing duplicate content " + shasum) - self.protocol.logDispatch(format='Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s', - eventid='COW0007', url=self.url, outfile=hashPath, shasum=shasum) + self.protocol.logDispatch(eventid='cowrie.session.file_download', + format='Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s', + url=self.url, + outfile=hashPath, + shasum=shasum) - log.msg(format='Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s', - eventid='COW0007', url=self.url, outfile=hashPath, shasum=shasum) + log.msg(eventid='cowrie.session.file_download', + format='Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s', + url=self.url, + outfile=hashPath, + shasum=shasum) # Link friendly name to hash os.symlink(shasum, self.safeoutfile) diff --git a/cowrie/commands/fs.py b/cowrie/commands/fs.py index 8f1c562..911bfb7 100644 --- a/cowrie/commands/fs.py +++ b/cowrie/commands/fs.py @@ -30,8 +30,10 @@ class command_cat(HoneyPotCommand): def lineReceived(self, line): - log.msg( eventid='COW0008', realm='cat', input=line, - format='INPUT (%(realm)s): %(input)s' ) + log.msg(eventid='cowrie.session.file_download', + realm='cat', + input=line, + format='INPUT (%(realm)s): %(input)s') def handle_CTRL_D(self): @@ -78,8 +80,10 @@ class command_tail(HoneyPotCommand): def lineReceived(self, line): - log.msg( eventid='COW0008', realm='tail', input=line, - format='INPUT (%(realm)s): %(input)s' ) + log.msg(eventid='cowrie.session.file_download', + realm='tail', + input=line, + format='INPUT (%(realm)s): %(input)s') def handle_CTRL_D(self): @@ -126,7 +130,7 @@ class command_head(HoneyPotCommand): def lineReceived(self, line): - log.msg( eventid='COW0008', realm='head', input=line, + log.msg(eventid='cowrie.session.file_download', realm='head', input=line, format='INPUT (%(realm)s): %(input)s' ) diff --git a/cowrie/commands/scp.py b/cowrie/commands/scp.py index 3b59f75..4e015bb 100644 --- a/cowrie/commands/scp.py +++ b/cowrie/commands/scp.py @@ -69,8 +69,10 @@ class command_scp(HoneyPotCommand): def lineReceived(self, line): """ """ - log.msg( eventid='COW0008', realm='scp', input=line, - format='INPUT (%(realm)s): %(input)s' ) + log.msg(eventid='cowrie.session.file_download', + realm='scp', + input=line, + format='INPUT (%(realm)s): %(input)s') self.protocol.terminal.write( '\x00' ) commands['/usr/bin/scp'] = command_scp diff --git a/cowrie/commands/sudo.py b/cowrie/commands/sudo.py index a1ba9b8..2d03b0c 100644 --- a/cowrie/commands/sudo.py +++ b/cowrie/commands/sudo.py @@ -108,8 +108,9 @@ Sudoers I/O plugin version 1.8.5p2\n''') cmdclass = self.protocol.getCommand(cmd, self.environ['PATH'].split(':')) if cmdclass: - log.msg(eventid='COW0005', input=line, - format='Command found: %(input)s') + log.msg(eventid='cowrie.command.success', + input=line, + format='Command found: %(input)s') self.protocol.call_command(cmdclass, *args) self.exit() else: diff --git a/cowrie/commands/wget.py b/cowrie/commands/wget.py index 4adbf3e..3a8ee23 100644 --- a/cowrie/commands/wget.py +++ b/cowrie/commands/wget.py @@ -163,11 +163,17 @@ class command_wget(HoneyPotCommand): os.remove(self.safeoutfile) log.msg("Not storing duplicate content " + shasum) - self.protocol.logDispatch( format='Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s', - eventid='COW0007', url=self.url, outfile=hash_path, shasum=shasum ) + self.protocol.logDispatch(eventid='cowrie.session.file_download', + format='Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s', + url=self.url, + outfile=hash_path, + shasum=shasum ) - log.msg( format='Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s', - eventid='COW0007', url=self.url, outfile=hash_path, shasum=shasum ) + log.msg(eventid='cowrie.session.file_download', + format='Downloaded URL (%(url)s) with SHA-256 %(shasum)s to %(outfile)s', + url=self.url, + outfile=hash_path, + shasum=shasum) # link friendly name to hash os.symlink( shasum, self.safeoutfile ) diff --git a/cowrie/core/checkers.py b/cowrie/core/checkers.py index afa5f78..bd51004 100644 --- a/cowrie/core/checkers.py +++ b/cowrie/core/checkers.py @@ -32,8 +32,8 @@ class HoneypotPublicKeyChecker(object): """ """ _pubKey = keys.Key.fromString(credentials.blob) - log.msg(format='public key attempt for user %(username)s with fingerprint %(fingerprint)s', - eventid='COW0016', + log.msg(eventid='cowrie.client.fingerprint', + format='public key attempt for user %(username)s with fingerprint %(fingerprint)s', username=credentials.username, fingerprint=_pubKey.fingerprint()) return failure.Failure(error.ConchError('Incorrect signature')) @@ -120,13 +120,15 @@ class HoneypotPasswordChecker(object): theauth = authname(self.cfg) if theauth.checklogin(theusername, thepassword, ip): - log.msg(eventid='COW0002', - format='login attempt [%(username)s/%(password)s] succeeded', - username=theusername, password=thepassword) + log.msg(eventid='cowrie.login.success', + format='login attempt [%(username)s/%(password)s] succeeded', + username=theusername, + password=thepassword) return True else: - log.msg(eventid='COW0003', - format='login attempt [%(username)s/%(password)s] failed', - username=theusername, password=thepassword) + log.msg(eventid='cowrie.login.failed', + format='login attempt [%(username)s/%(password)s] failed', + username=theusername, + password=thepassword) return False diff --git a/cowrie/core/dblog.py b/cowrie/core/dblog.py index b59d7b9..538acc2 100644 --- a/cowrie/core/dblog.py +++ b/cowrie/core/dblog.py @@ -11,21 +11,6 @@ import abc # dblog now operates based on eventids, no longer on regex parsing of the entry. # add an eventid using keyword args and it will be picked up by the dblogger -# the COWxxxx naming convention is still subject to change. - -# COW0001 : create session -# COW0002 : succesful login -# COW0003 : failed login -# COW0004 : TTY log opened -# COW0005 : handle command -# COW0006 : handle unknown command -# COW0007 : file download -# COW0008 : INPUT -# COW0009 : SSH Version -# COW0010 : Terminal Size -# COW0011 : Connection Lost -# COW0012 : TTY log closed -# COW0013 : env var requested class DBLogger(object): __metaclass__ = abc.ABCMeta @@ -37,20 +22,20 @@ class DBLogger(object): self.re_sessionlog = re.compile( '.*HoneyPotTransport,([0-9]+),[0-9.]+$') - # COW0001 is special since it kicks off new logging session, + # cowrie.session.connect is special since it kicks off new logging session, # and is not handled here self.events = { - 'COW0002': self.handleLoginSucceeded, - 'COW0003': self.handleLoginFailed, - 'COW0004': self.handleTTYLogOpened, - 'COW0005': self.handleCommand, - 'COW0006': self.handleUnknownCommand, - 'COW0007': self.handleFileDownload, - 'COW0008': self.handleInput, - 'COW0009': self.handleClientVersion, - 'COW0010': self.handleTerminalSize, - 'COW0011': self._connectionLost, - 'COW0012': self.handleTTYLogClosed, + 'cowrie.login.success': self.handleLoginSucceeded, + 'cowrie.login.failed': self.handleLoginFailed, + 'cowrie.log.open': self.handleTTYLogOpened, + 'cowrie.command.success': self.handleCommand, + 'cowrie.command.failed': self.handleUnknownCommand, + 'cowrie.session.file_download': self.handleFileDownload, + 'cowrie.session.file_download': self.handleInput, + 'cowrie.client.version': self.handleClientVersion, + 'cowrie.client.size': self.handleTerminalSize, + 'cowrie.session.closed': self._connectionLost, + 'cowrie.log.closed': self.handleTTYLogClosed, } self.reported_ssh_port = None @@ -95,7 +80,7 @@ class DBLogger(object): return # connection event is special. adds to list - if ev['eventid'] == 'COW0001': + if ev['eventid'] == 'cowrie.session.connect': sessionno = ev['sessionno'] peerIP, peerPort = ev['src_ip'], ev['src_port'] hostIP, hostPort = ev['dst_ip'], ev['dst_port'] diff --git a/cowrie/core/fs.py b/cowrie/core/fs.py index 13f0d50..3be1937 100644 --- a/cowrie/core/fs.py +++ b/cowrie/core/fs.py @@ -227,7 +227,7 @@ class HoneyPotFilesystem(object): raise IsADirectoryError elif f[A_TYPE] == T_LINK: return self.file_contents(f[A_TARGET], count + 1) - elif f[A_TYPE] == T_FILE and f[A_REALFILE]: + elif f[A_TYPE] == T_FILE and f[A_REALFILE]: return file(f[A_REALFILE], 'rb').read() realfile = self.realfile(f, '%s/%s' % \ (self.cfg.get('honeypot', 'contents_path'), path)) @@ -384,7 +384,10 @@ class HoneyPotFilesystem(object): os.symlink(shasum, self.tempfiles[fd]) self.update_realfile(self.getfile(self.filenames[fd]), shasumfile) log.msg(format='SFTP Uploaded file \"%(filename)s\" to %(outfile)s', - eventid='COW0017', filename=os.path.basename(self.filenames[fd]), outfile=shasumfile, shasum=shasum ) + eventid='cowrie.session.file_upload', + filename=os.path.basename(self.filenames[fd]), + outfile=shasumfile, + shasum=shasum) del self.tempfiles[fd] del self.filenames[fd] return os.close(fd) diff --git a/cowrie/core/honeypot.py b/cowrie/core/honeypot.py index 8abf202..97906a0 100644 --- a/cowrie/core/honeypot.py +++ b/cowrie/core/honeypot.py @@ -204,10 +204,10 @@ class HoneyPotShell(object): rargs.append(arg) cmdclass = self.protocol.getCommand(cmd, environ['PATH'].split(':')) if cmdclass: - log.msg(eventid='COW0005', input=line, format='Command found: %(input)s') + log.msg(eventid='cowrie.command.success', input=line, format='Command found: %(input)s') self.protocol.call_command(cmdclass, *rargs) else: - log.msg(eventid='COW0006', + log.msg(eventid='cowrie.command.failed', input=line, format='Command not found: %(input)s') if len(line): self.protocol.terminal.write('bash: %s: command not found\n' % (cmd,)) diff --git a/cowrie/core/output.py b/cowrie/core/output.py index 429891f..4345c98 100644 --- a/cowrie/core/output.py +++ b/cowrie/core/output.py @@ -36,23 +36,24 @@ import re import copy import socket -# COW0001 : create session -# COW0002 : successful login -# COW0003 : failed login -# COW0004 : TTY log opened -# COW0005 : handle command -# COW0006 : handle unknown command -# COW0007 : HTTP file download -# COW0008 : INPUT -# COW0009 : SSH Version -# COW0010 : Terminal Size -# COW0011 : Connection Lost -# COW0012 : TTY log closed -# COW0013 : env var requested -# COW0014 : direct-tcpip request -# COW0015 : direct-tcpip data -# COW0016 : key fingerprint -# COW0017 : SFTP uploaded file +# Events: +# cowrie.client.fingerprint +# cowrie.client.size +# cowrie.client.var +# cowrie.client.version +# cowrie.command.failed +# cowrie.command.success +# cowrie.direct-tcpip.data +# cowrie.direct-tcpip.request +# cowrie.log.closed +# cowrie.log.open +# cowrie.login.failed +# cowrie.login.success +# cowrie.session.closed +# cowrie.session.connect +# cowrie.session.file_download +# cowrie.session.file_upload + class Output(object): """ @@ -134,7 +135,7 @@ class Output(object): del ev['time'] # On disconnect add the tty log - #if ev['eventid'] == 'COW0012': + #if ev['eventid'] == 'cowrie.log.closed': # FIXME: file is read for each output plugin #f = file(ev['ttylog']) #ev['ttylog'] = f.read(10485760) @@ -156,7 +157,7 @@ class Output(object): ev['src_ip'] = self.ips[sessionno] # Connection event is special. adds to session list - if ev['eventid'] == 'COW0001': + if ev['eventid'] == 'cowrie.session.connect': self.sessions[sessionno] = ev['id'] self.ips[sessionno] = ev['src_ip'] del ev['id'] @@ -166,6 +167,6 @@ class Output(object): self.write(ev) # Disconnect is special, remove cached data - if ev['eventid'] == 'COW0011': + if ev['eventid'] == 'cowrie.session.closed': del self.sessions[sessionno] del self.ips[sessionno] diff --git a/cowrie/insults/insults.py b/cowrie/insults/insults.py index e2b7d05..bf7f54c 100644 --- a/cowrie/insults/insults.py +++ b/cowrie/insults/insults.py @@ -55,8 +55,9 @@ class LoggingServerProtocol(insults.ServerProtocol): ttylog.ttylog_open(self.ttylog_file, time.time()) self.ttylog_open = True - log.msg(eventid='COW0004', ttylog=self.ttylog_file, - format='Opening TTY Log: %(ttylog)s') + log.msg(eventid='cowrie.log.open', + ttylog=self.ttylog_file, + format='Opening TTY Log: %(ttylog)s') self.stdinlog_file = '%s/%s-%s-%s-stdin.log' % \ (self.downloadPath, @@ -90,7 +91,9 @@ class LoggingServerProtocol(insults.ServerProtocol): self.bytesReceived += len(data) if self.bytesReceivedLimit \ and self.bytesReceived > self.bytesReceivedLimit: - log.msg(eventid='COW0015', format='Data upload limit reached') + log.msg(eventid='cowrie.direct-tcpip.data', + format='Data upload limit reached') + #self.loseConnection() self.eofReceived() return @@ -155,16 +158,19 @@ class LoggingServerProtocol(insults.ServerProtocol): else: os.rename(self.stdinlog_file, shasumfile) os.symlink(shasum, self.stdinlog_file) - log.msg(eventid='COW0017', - format='Saved stdin contents to %(outfile)s', - filename='stdin', outfile=shasumfile, shasum=shasum) + log.msg(eventid='cowrie.session.file_download', + format='Saved stdin contents to %(outfile)s', + url='stdin', + outfile=shasumfile, + shasum=shasum) except IOError as e: pass finally: self.stdinlog_open = False if self.ttylog_open: - log.msg(eventid='COW0012', + size = self.ttylog_size[self.ttylog_file] + log.msg(eventid='cowrie.log.closed', format='Closing TTY Log: %(ttylog)s', ttylog=self.ttylog_file, size=self.ttylogSize) diff --git a/cowrie/output/dshield.py b/cowrie/output/dshield.py index 64c2923..6c0f0e6 100644 --- a/cowrie/output/dshield.py +++ b/cowrie/output/dshield.py @@ -36,7 +36,7 @@ class Output(cowrie.core.output.Output): def write(self, entry): - if entry["eventid"] == 'COW0002' or entry["eventid"] == 'COW0003': + if entry["eventid"] == 'cowrie.login.success' or entry["eventid"] == 'cowrie.login.failed': date = dateutil.parser.parse(entry["timestamp"]) self.batch.append({ 'date' : date.date().__str__(), diff --git a/cowrie/output/mysql.py b/cowrie/output/mysql.py index d64230d..dbef072 100644 --- a/cowrie/output/mysql.py +++ b/cowrie/output/mysql.py @@ -99,7 +99,7 @@ class Output(cowrie.core.output.Output): docstring here """ - if entry["eventid"] == 'COW0001': + if entry["eventid"] == 'cowrie.session.connect': r = yield self.db.runQuery( "SELECT `id` FROM `sensors` WHERE `ip` = %s", (self.sensor,)) if r: @@ -115,49 +115,49 @@ class Output(cowrie.core.output.Output): (entry["session"], entry["timestamp"], '%Y-%m-%dT%H:%i:%s.%fZ', sensorid, entry["src_ip"])) - elif entry["eventid"] == 'COW0002': + elif entry["eventid"] == 'cowrie.login.success': self.simpleQuery('INSERT INTO `auth` (`session`, `success`' + \ ', `username`, `password`, `timestamp`)' + \ ' VALUES (%s, %s, %s, %s, STR_TO_DATE(%s, %s))', (entry["session"], 1, entry['username'], entry['password'], entry["timestamp"], '%Y-%m-%dT%H:%i:%s.%fZ')) - elif entry["eventid"] == 'COW0003': + elif entry["eventid"] == 'cowrie.login.failed': self.simpleQuery('INSERT INTO `auth` (`session`, `success`' + \ ', `username`, `password`, `timestamp`)' + \ ' VALUES (%s, %s, %s, %s, STR_TO_DATE(%s, %s))', (entry["session"], 0, entry['username'], entry['password'], entry["timestamp"], '%Y-%m-%dT%H:%i:%s.%fZ')) - elif entry["eventid"] == 'COW0005': + elif entry["eventid"] == 'cowrie.command.success': self.simpleQuery('INSERT INTO `input`' + \ ' (`session`, `timestamp`, `success`, `input`)' + \ ' VALUES (%s, STR_TO_DATE(%s, %s), %s , %s)', (entry["session"], entry["timestamp"], '%Y-%m-%dT%H:%i:%s.%fZ', 1, entry["input"])) - elif entry["eventid"] == 'COW0006': + elif entry["eventid"] == 'cowrie.command.failed': self.simpleQuery('INSERT INTO `input`' + \ ' (`session`, `timestamp`, `success`, `input`)' + \ ' VALUES (%s, STR_TO_DATE(%s, %s), %s , %s)', (entry["session"], entry["timestamp"], '%Y-%m-%dT%H:%i:%s.%fZ', 0, entry["input"])) - elif entry["eventid"] == 'COW0007': + elif entry["eventid"] == 'cowrie.session.file_download': self.simpleQuery('INSERT INTO `downloads`' + \ ' (`session`, `timestamp`, `url`, `outfile`, `shasum`)' + \ ' VALUES (%s, STR_TO_DATE(%s, %s), %s, %s, %s)', (entry["session"], entry["timestamp"], '%Y-%m-%dT%H:%i:%s.%fZ', entry['url'], entry['outfile'], entry['shasum'])) - elif entry["eventid"] == 'COW0008': + elif entry["eventid"] == 'cowrie.session.file_download': self.simpleQuery('INSERT INTO `input`' + \ ' (`session`, `timestamp`, `realm`, `input`)' + \ ' VALUES (%s, STR_TO_DATE(%s, %s), %s , %s)', (entry["session"], entry["timestamp"], '%Y-%m-%dT%H:%i:%s.%fZ', entry["realm"], entry["input"])) - elif entry["eventid"] == 'COW0009': + elif entry["eventid"] == 'cowrie.client.version': r = yield self.db.runQuery( 'SELECT `id` FROM `clients` WHERE `version` = %s', \ (entry['version'],)) @@ -173,24 +173,24 @@ class Output(cowrie.core.output.Output): 'UPDATE `sessions` SET `client` = %s WHERE `id` = %s', (id, entry["session"])) - elif entry["eventid"] == 'COW0010': + elif entry["eventid"] == 'cowrie.client.size': self.simpleQuery( 'UPDATE `sessions` SET `termsize` = %s WHERE `id` = %s', ('%sx%s' % (entry['width'], entry['height']), entry["session"])) - elif entry["eventid"] == 'COW0011': + elif entry["eventid"] == 'cowrie.session.closed': self.simpleQuery( 'UPDATE `sessions` SET `endtime` = STR_TO_DATE(%s, %s)' + \ ' WHERE `id` = %s', (entry["timestamp"], '%Y-%m-%dT%H:%i:%s.%fZ', entry["session"])) - elif entry["eventid"] == 'COW0012': + elif entry["eventid"] == 'cowrie.log.closed': self.simpleQuery( 'INSERT INTO `ttylog` (`session`, `ttylog`, `size`) VALUES (%s, %s, %s)', (entry["session"], entry["ttylog"], entry["size"])) - elif entry["eventid"] == 'COW0016': + elif entry["eventid"] == 'cowrie.client.fingerprint': self.simpleQuery( 'INSERT INTO `keyfingerprints` (`session`, `username`, `fingerprint`) VALUES (%s, %s, %s)', (entry["session"], entry["username"], entry["fingerprint"])) diff --git a/cowrie/output/virustotal.py b/cowrie/output/virustotal.py index 52dab0d..4f7a2d1 100644 --- a/cowrie/output/virustotal.py +++ b/cowrie/output/virustotal.py @@ -89,7 +89,7 @@ class Output(cowrie.core.output.Output): fileName = b self.postfile(entry["outfile"], fileName) - elif entry["eventid"] == 'COW0017': + elif entry["eventid"] == 'cowrie.session.file_upload': log.msg("Sending file to VT") self.postfile(entry["outfile"], entry["filename"]) diff --git a/cowrie/ssh/filetransfer.py b/cowrie/ssh/filetransfer.py index bd6f96a..d245147 100644 --- a/cowrie/ssh/filetransfer.py +++ b/cowrie/ssh/filetransfer.py @@ -86,7 +86,7 @@ class CowrieSFTPFile(object): """ self.bytes_written += len(data) if self.bytesReceivedLimit and self.bytes_written > self.bytesReceivedLimit: - log.msg(eventid='COW0015', format='Data upload limit reached') + log.msg(eventid='cowrie.direct-tcpip.data', format='Data upload limit reached') raise filetransfer.SFTPError( filetransfer.FX_FAILURE, "Quota exceeded" ) self.sftpserver.fs.lseek(self.fd, offset, os.SEEK_SET) self.sftpserver.fs.write(self.fd, data) diff --git a/cowrie/ssh/forwarding.py b/cowrie/ssh/forwarding.py index e00921b..2038b9c 100644 --- a/cowrie/ssh/forwarding.py +++ b/cowrie/ssh/forwarding.py @@ -14,7 +14,7 @@ def CowrieOpenConnectForwardingClient(remoteWindow, remoteMaxPacket, data, avata """ """ remoteHP, origHP = twisted.conch.ssh.forwarding.unpackOpen_direct_tcpip(data) - log.msg(eventid='COW0014', format='direct-tcp connection request to %(dst_ip)s:%(dst_port)s', + log.msg(eventid='cowrie.direct-tcpip.request', format='direct-tcp connection request to %(dst_ip)s:%(dst_port)s', dst_ip=remoteHP[0], dst_port=remoteHP[1]) return CowrieConnectForwardingChannel(remoteHP, remoteWindow=remoteWindow, remoteMaxPacket=remoteMaxPacket, @@ -34,7 +34,7 @@ class CowrieConnectForwardingChannel(forwarding.SSHConnectForwardingChannel): def dataReceived(self, data): """ """ - log.msg(eventid='COW0015', + log.msg(eventid='cowrie.direct-tcpip.data', format='direct-tcp forward to %(dst_ip)s:%(dst_port)s with data %(data)s', dst_ip=self.hostport[0], dst_port=self.hostport[1], data=repr(data)) self._close("Connection refused") diff --git a/cowrie/ssh/session.py b/cowrie/ssh/session.py index 327d9b0..757eea7 100644 --- a/cowrie/ssh/session.py +++ b/cowrie/ssh/session.py @@ -37,7 +37,7 @@ class HoneyPotSSHSession(session.SSHSession): value, rest = getNS(rest) if rest: raise ValueError("Bad data given in env request") - log.msg(eventid='COW0013', format='request_env: %(name)s=%(value)s', + log.msg(eventid='cowrie.client.var', format='request_env: %(name)s=%(value)s', name=name, value=value) # FIXME: This only works for shell, not for exec command if self.session: @@ -131,7 +131,7 @@ class SSHSessionForCowrieUser(object): """ """ self.environ['TERM'] = terminal - log.msg(eventid='COW0010', width=windowSize[0], height=windowSize[1], + log.msg(eventid='cowrie.client.size', width=windowSize[0], height=windowSize[1], format='Terminal Size: %(width)s %(height)s') self.windowSize = windowSize return None diff --git a/cowrie/ssh/transport.py b/cowrie/ssh/transport.py index 8ad1467..013cff6 100644 --- a/cowrie/ssh/transport.py +++ b/cowrie/ssh/transport.py @@ -170,7 +170,7 @@ class HoneyPotTransport(transport.SSHServerTransport, TimeoutMixin): """ self.transportId = uuid.uuid4().hex[:8] - log.msg(eventid='COW0001', + log.msg(eventid='cowrie.session.connect', format='New connection: %(src_ip)s:%(src_port)s (%(dst_ip)s:%(dst_port)s) [session: %(sessionno)s]', src_ip=self.transport.getPeer().host, src_port=self.transport.getPeer().port, dst_ip=self.transport.getHost().host, dst_port=self.transport.getHost().port, @@ -241,7 +241,7 @@ class HoneyPotTransport(transport.SSHServerTransport, TimeoutMixin): (kexAlgs, keyAlgs, encCS, encSC, macCS, macSC, compCS, compSC, langCS, langSC) = [s.split(',') for s in strings] log.msg("EXPERIMENTAL KEXINIT langCS langSC %s %s" % (langCS,langSC,)) - log.msg(eventid='COW0009', version=self.otherVersionString, + log.msg(eventid='cowrie.client.version', version=self.otherVersionString, kexAlgs=kexAlgs, keyAlgs=keyAlgs, encCS=encCS, macCS=macCS, compCS=compCS, format='Remote SSH version: %(version)s') @@ -283,7 +283,7 @@ class HoneyPotTransport(transport.SSHServerTransport, TimeoutMixin): transport.SSHServerTransport.connectionLost(self, reason) self.transport.connectionLost(reason) self.transport = None - log.msg(eventid='COW0011', format='Connection lost') + log.msg(eventid='cowrie.session.closed', format='Connection lost') def sendDisconnect(self, reason, desc):