From 89e610336cab46113ffcb37b13a42db362fe3381 Mon Sep 17 00:00:00 2001
From: Muzyka <dmitriy.myz+git@livetex.ru>
Date: Mon, 25 Apr 2016 15:12:26 +0300
Subject: [PATCH 1/5] smtp forward to 127.1:12525

---
 cowrie/ssh/forwarding.py | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/cowrie/ssh/forwarding.py b/cowrie/ssh/forwarding.py
index 2038b9c..3f2fed8 100644
--- a/cowrie/ssh/forwarding.py
+++ b/cowrie/ssh/forwarding.py
@@ -14,13 +14,20 @@ def CowrieOpenConnectForwardingClient(remoteWindow, remoteMaxPacket, data, avata
     """
     """
     remoteHP, origHP = twisted.conch.ssh.forwarding.unpackOpen_direct_tcpip(data)
-    log.msg(eventid='cowrie.direct-tcpip.request', format='direct-tcp connection request to %(dst_ip)s:%(dst_port)s',
-            dst_ip=remoteHP[0], dst_port=remoteHP[1])
-    return CowrieConnectForwardingChannel(remoteHP,
-       remoteWindow=remoteWindow, remoteMaxPacket=remoteMaxPacket,
-       avatar=avatar)
-
-
+    log.msg(eventid='cowrie.direct-tcpip.request', format='direct-tcp connection request
+     to %(dst_ip)s:%(dst_port)s from %(src_ip)s:%(src_port)s',
+            dst_ip=remoteHP[0], dst_port=remoteHP[1],
+            src_ip=origHP[0], src_port=origHP[1])
+    if remoteHP[1] == 25:
+        log.msg(eventid='cowrie.direct-tcpip.request',format='found smtp, forwarding to local honeypot')
+        remoteHPLocal = ('127.0.0.1', 12525)
+        return forwarding.SSHConnectForwardingChannel(remoteHPLocal,
+            remoteWindow=remoteWindow, remoteMaxPacket=remoteMaxPacket,
+            avatar=avatar)
+    else:
+        return CowrieConnectForwardingChannel(remoteHP,
+           remoteWindow=remoteWindow, remoteMaxPacket=remoteMaxPacket,
+           avatar=avatar)
 
 class CowrieConnectForwardingChannel(forwarding.SSHConnectForwardingChannel):
     """

From f2954eae7071f9f4a03f6b0dbaedb4bcafcc0f9a Mon Sep 17 00:00:00 2001
From: Muzyka <dmitriy.myz+git@livetex.ru>
Date: Mon, 25 Apr 2016 15:24:52 +0300
Subject: [PATCH 2/5] smtp forward to 127.1:12525

---
 cowrie/ssh/forwarding.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cowrie/ssh/forwarding.py b/cowrie/ssh/forwarding.py
index 3f2fed8..56628bb 100644
--- a/cowrie/ssh/forwarding.py
+++ b/cowrie/ssh/forwarding.py
@@ -14,8 +14,8 @@ def CowrieOpenConnectForwardingClient(remoteWindow, remoteMaxPacket, data, avata
     """
     """
     remoteHP, origHP = twisted.conch.ssh.forwarding.unpackOpen_direct_tcpip(data)
-    log.msg(eventid='cowrie.direct-tcpip.request', format='direct-tcp connection request
-     to %(dst_ip)s:%(dst_port)s from %(src_ip)s:%(src_port)s',
+    log.msg(eventid='cowrie.direct-tcpip.request', 
+    format='direct-tcp connection request to %(dst_ip)s:%(dst_port)s from %(src_ip)s:%(src_port)s',
             dst_ip=remoteHP[0], dst_port=remoteHP[1],
             src_ip=origHP[0], src_port=origHP[1])
     if remoteHP[1] == 25:

From 33b32139613f587abfc5d00f83f4fb3c09856a68 Mon Sep 17 00:00:00 2001
From: Muzyka <dmitriy.myz+git@livetex.ru>
Date: Mon, 25 Apr 2016 17:45:44 +0300
Subject: [PATCH 3/5] smtp forward

---
 README.md                |  1 +
 cowrie.cfg.dist          |  4 +++-
 cowrie/ssh/forwarding.py | 15 ++++++++++++---
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index cd33883..171b238 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,7 @@ Additional functionality over standard kippo:
 * SFTP and SCP support for file upload
 * Support for SSH exec commands
 * Logging of direct-tcp connection attempts (ssh proxying)
+* Forward SMTP connections to SMTP Honeypot (e.g. [mailoney](https://github.com/awhitehatter/mailoney))
 * Logging in JSON format for easy processing in log management solutions
 * Many, many additional commands
 
diff --git a/cowrie.cfg.dist b/cowrie.cfg.dist
index 45a1ede..fe145ef 100644
--- a/cowrie.cfg.dist
+++ b/cowrie.cfg.dist
@@ -95,7 +95,9 @@ interact_enabled = false
 # (default: 5123)
 interact_port = 5123
 
-
+smtp_forwarding_enabled = false
+smtp_forwarding_port = 12525
+smtp_forwarding_host = 127.0.0.1
 
 # ============================================================================
 # Network Specific Options
diff --git a/cowrie/ssh/forwarding.py b/cowrie/ssh/forwarding.py
index 56628bb..01025e2 100644
--- a/cowrie/ssh/forwarding.py
+++ b/cowrie/ssh/forwarding.py
@@ -13,19 +13,28 @@ from twisted.python import log
 def CowrieOpenConnectForwardingClient(remoteWindow, remoteMaxPacket, data, avatar):
     """
     """
+    cfg = avatar.cfg
     remoteHP, origHP = twisted.conch.ssh.forwarding.unpackOpen_direct_tcpip(data)
     log.msg(eventid='cowrie.direct-tcpip.request', 
     format='direct-tcp connection request to %(dst_ip)s:%(dst_port)s from %(src_ip)s:%(src_port)s',
             dst_ip=remoteHP[0], dst_port=remoteHP[1],
             src_ip=origHP[0], src_port=origHP[1])
-    if remoteHP[1] == 25:
+    if cfg.has_option('honeypot', 'smtp_forwarding_enabled') and \
+            cfg.get('honeypot', 'smtp_forwarding_enabled').lower() in \
+            ('yes', 'true', 'on'):
+        honey_smtp = True
+        honey_port = int(cfg.get('honeypot', 'smtp_forwarding_port'))
+        honey_host  = cfg.get('honeypot', 'smtp_forwarding_host')
+
+    if remoteHP[1] == 25 and honey_smtp:
         log.msg(eventid='cowrie.direct-tcpip.request',format='found smtp, forwarding to local honeypot')
-        remoteHPLocal = ('127.0.0.1', 12525)
+        remoteHPLocal = (honey_host, honey_port)
         return forwarding.SSHConnectForwardingChannel(remoteHPLocal,
             remoteWindow=remoteWindow, remoteMaxPacket=remoteMaxPacket,
             avatar=avatar)
     else:
-        return CowrieConnectForwardingChannel(remoteHP,
+        pass
+    return CowrieConnectForwardingChannel(remoteHP,
            remoteWindow=remoteWindow, remoteMaxPacket=remoteMaxPacket,
            avatar=avatar)
 

From 4f61575f2667a898eb02c013a2e03240ce244afa Mon Sep 17 00:00:00 2001
From: Muzyka <dmitriy.myz+git@livetex.ru>
Date: Mon, 25 Apr 2016 17:49:20 +0300
Subject: [PATCH 4/5] smtp forward

---
 cowrie/ssh/forwarding.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cowrie/ssh/forwarding.py b/cowrie/ssh/forwarding.py
index 01025e2..4c9c338 100644
--- a/cowrie/ssh/forwarding.py
+++ b/cowrie/ssh/forwarding.py
@@ -25,6 +25,8 @@ def CowrieOpenConnectForwardingClient(remoteWindow, remoteMaxPacket, data, avata
         honey_smtp = True
         honey_port = int(cfg.get('honeypot', 'smtp_forwarding_port'))
         honey_host  = cfg.get('honeypot', 'smtp_forwarding_host')
+    else:
+        honey_smtp= False
 
     if remoteHP[1] == 25 and honey_smtp:
         log.msg(eventid='cowrie.direct-tcpip.request',format='found smtp, forwarding to local honeypot')

From aa76d5cae9a281c7f2bc685aac562082ebdebe5b Mon Sep 17 00:00:00 2001
From: Muzyka <dmitriy.myz+git@livetex.ru>
Date: Mon, 25 Apr 2016 17:54:46 +0300
Subject: [PATCH 5/5] smtp forward

---
 cowrie.cfg.dist | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cowrie.cfg.dist b/cowrie.cfg.dist
index fe145ef..eede0f5 100644
--- a/cowrie.cfg.dist
+++ b/cowrie.cfg.dist
@@ -95,6 +95,11 @@ interact_enabled = false
 # (default: 5123)
 interact_port = 5123
 
+#SMTP forwarding.
+#
+#If you want to record SMTP traffic, install SMTP honeypoint.
+# (e.g https://github.com/awhitehatter/mailoney)
+# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525
 smtp_forwarding_enabled = false
 smtp_forwarding_port = 12525
 smtp_forwarding_host = 127.0.0.1