From eb717d82e77901206450404d32a92f950e20fa70 Mon Sep 17 00:00:00 2001 From: Michel Oosterhof Date: Tue, 19 Jan 2016 15:14:51 +0400 Subject: [PATCH] Rearrange to be more logical. --- cowrie.cfg.dist | 237 +++++++++++++++++++++++++++--------------------- 1 file changed, 136 insertions(+), 101 deletions(-) diff --git a/cowrie.cfg.dist b/cowrie.cfg.dist index c5f688c..f3e1a20 100644 --- a/cowrie.cfg.dist +++ b/cowrie.cfg.dist @@ -2,59 +2,45 @@ # Cowrie configuration file (cowrie.cfg) # +# ============================================================================ +# General Honeypot Options +# ============================================================================ [honeypot] -# Sensor name use to identify this cowrie instance. Used by the database +# Sensor name is used to identify this Cowrie instance. Used by the database # logging modules such as mysql. # # If not specified, the logging modules will instead use the IP address of the -# connection as the sensor name. +# server as the sensor name. # # (default: not specified) #sensor_name=myhostname -# IP addresses to listen for incoming SSH connections. -# -# (default: 0.0.0.0) = any IPv4 address -#listen_addr = 0.0.0.0 -# (use :: for listen to all IPv6 and IPv4 addresses) -#listen_addr = :: - -# Port to listen for incoming SSH connections. -# To listen to IPv6, set this to "::" -# -# (default: 2222) -#listen_port = 2222 - -# Source Port to report in logs (useful if you use iptables to forward ports to cowrie) -#reported_ssh_port = 22 - -# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1) -# IP address is obtained by querying http://myip.threatstream.com -#report_public_ip = true # Hostname for the honeypot. Displayed by the shell prompt of the virtual -# environment. +# environment # # (default: svr04) hostname = svr04 + # Directory where to save log files in. # # (default: log) log_path = log -# Directory where to save downloaded (malware) files in. + +# Directory where to save downloaded artifacts in. # # (default: dl) download_path = dl -# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'. -# A value of 0 means no limit. If the file size is known to be too big from the start, -# the file will not be stored on disk at all. + +# Directory for miscellaneous data files, such as the password database. # -# (default: 0) -#download_limit_size = 10485760 +# (default: data_path) +data_path = data + # Directory where virtual file contents are kept in. # @@ -65,45 +51,16 @@ download_path = dl # (default: honeyfs) contents_path = honeyfs + # File in the python pickle format containing the virtual filesystem. # -# This includes the filenames, paths, permissions for the whole filesystem, +# This includes the filenames, paths, permissions for the Cowrie filesystem, # but not the file contents. This is created by the createfs.py utility from # a real template linux installation. # # (default: fs.pickle) filesystem_file = data/fs.pickle -# Directory for miscellaneous data files, such as the password database. -# -# (default: data_path) -data_path = data - -# Class that implements the checklogin() method. -# -# Class must be defined in cowrie/core/auth.py -# Default is the 'UserDB' class which uses the password database. -# -# Alternatively the 'AuthRandom' class can be used, which will let -# a user login after a random number of attempts. -# It will also cache username/password combinations that allow login. -# -auth_class = UserDB -# When AuthRandom is used also set the -# auth_class_parameters: , , -# for example: 2, 5, 10 = allows access after randint(2,5) attempts -# and cache 10 combinations. -# -#auth_class = AuthRandom -#auth_class_parameters = 2, 5, 10 - -# No authentication checking at all -# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method -# this allows the requested user in without any verification at all -# -# (default: false) - -auth_none_enabled = false # Directory for creating simple commands that only output text. # @@ -113,28 +70,44 @@ auth_none_enabled = false # The contents of the file will be the output of the command when run inside # the honeypot. # -# In addition to this, the file must exist in the virtual -# filesystem {filesystem_file} +# In addition to this, the file must exist in the virtual filesystem # # (default: txtcmds) txtcmds_path = txtcmds -# Public and private SSH key files. If these don't exist, they are created -# automatically. -rsa_public_key = data/ssh_host_rsa_key.pub -rsa_private_key = data/ssh_host_rsa_key -dsa_public_key = data/ssh_host_dsa_key.pub -dsa_private_key = data/ssh_host_dsa_key -# sftp_enabled enables the sftp subsystem -sftp_enabled = true +# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'. +# A value of 0 means no limit. If the file size is known to be too big from the start, +# the file will not be stored on disk at all. +# +# (default: 0) +#download_limit_size = 10485760 -# IP address to bind to when opening outgoing connections. Used by -# the wget and curl commands. + +# Session management interface. +# +# This is a telnet based service that can be used to interact with active +# sessions. Disabled by default. The interact feature is only available on +# the loopback interface. +# +# (default: false) +interact_enabled = false +# (default: 5123) +interact_port = 5123 + + + +# ============================================================================ +# Network Specific Options +# ============================================================================ + +# IP address to bind to when opening outgoing connections. Used by wget and +# curl commands. # # (default: not specified) #out_addr = 0.0.0.0 + # Fake address displayed as the address of the incoming connection. # This doesn't affect logging, and is only used by honeypot commands such as # 'w' and 'last' @@ -145,16 +118,76 @@ sftp_enabled = true # (default: not specified) #fake_addr = 192.168.66.254 -# The IP address on which this machine reachable on from the internet. -# Useful if you use portforwarding or other mechanisms. If empty, cowrie + +# The IP address on which this machine is reachable on from the internet. +# Useful if you use portforwarding or other mechanisms. If empty, Cowrie # will determine by itself. Used in 'netstat' output # #internet_facing_ip = 9.9.9.9 + +# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1) +# IP address is obtained by querying http://myip.threatstream.com +#report_public_ip = true + + + +# ============================================================================ +# Authentication Specific Options +# ============================================================================ + + +# Class that implements the checklogin() method. +# +# Class must be defined in cowrie/core/auth.py +# Default is the 'UserDB' class which uses the password database. +# +# Alternatively the 'AuthRandom' class can be used, which will let +# a user login after a random number of attempts. +# It will also cache username/password combinations that allow login. +# +auth_class = UserDB + +# When AuthRandom is used also set the +# auth_class_parameters: , , +# for example: 2, 5, 10 = allows access after randint(2,5) attempts +# and cache 10 combinations. +# +#auth_class = AuthRandom +#auth_class_parameters = 2, 5, 10 + + +# No authentication checking at all +# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method +# this allows the requested user in without any verification at all +# +# (default: false) +#auth_none_enabled = false + + +# ============================================================================ +# SSH Specific Options +# ============================================================================ + + +# IP addresses to listen for incoming SSH connections. +# +# (default: 0.0.0.0) = any IPv4 address +#listen_addr = 0.0.0.0 +# (use :: for listen to all IPv6 and IPv4 addresses) +#listen_addr = :: + + +# Port to listen for incoming SSH connections. +# +# (default: 2222) +#listen_port = 2222 + + # SSH Version String # -# Use this to disguise your honeypot from a simple SSH version scan -# frequent Examples: (found experimentally by scanning ISPs) +# Use these to disguise your honeypot from a simple SSH version scan +# Examples: # SSH-2.0-OpenSSH_5.1p1 Debian-5 # SSH-1.99-OpenSSH_4.3 # SSH-1.99-OpenSSH_4.7 @@ -178,21 +211,28 @@ sftp_enabled = true # (default: "SSH-2.0-SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2") ssh_version_string = SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 -# Banner file to be displayed before the first login attempt. -# -#banner_file = DEPRECATED; always '/etc/issue.net' in honeyfs -# Session management interface. -# -# This is a telnet based service that can be used to interact with active -# sessions. Disabled by default. -# -# (default: false) -interact_enabled = false -# (default: 5123) -interact_port = 5123 +# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie) +#reported_ssh_port = 22 +# Public and private SSH key files. If these don't exist, they are created +# automatically. +rsa_public_key = data/ssh_host_rsa_key.pub +rsa_private_key = data/ssh_host_rsa_key +dsa_public_key = data/ssh_host_dsa_key.pub +dsa_private_key = data/ssh_host_dsa_key + + +# sftp_enabled enables the sftp subsystem +sftp_enabled = true + + + +# ============================================================================ +# Database logging Specific Options +# ============================================================================ + # XMPP Logging # Log to an xmpp server. # @@ -210,14 +250,9 @@ interact_port = 5123 #debug=true -# Text based logging module -# -# While this is a database logging module, it actually just creates a simple -# text based log. This may not have much purpose, if you're fine with the -# default text based logs generated by cowrie in log/ -# -#[database_textlog] -#logfile = log/cowrie-textlog.log +# ============================================================================ +# Output Plugins +# ============================================================================ # JSON based logging module @@ -238,13 +273,13 @@ logfile = log/cowrie.json # Send login attemp information to SANS DShield # See https://isc.sans.edu/ssh.html -# You must signup for an api key. +# You must signup for an api key. # Once registered, find your details at: https://isc.sans.edu/myaccount.html # #[output_dshield] -#userid = userid_here -#auth_key = auth_key_here -#batch_size = 100 +#userid = userid_here +#auth_key = auth_key_here +#batch_size = 100 # Local Syslog output module @@ -288,8 +323,8 @@ logfile = log/cowrie.json #debug=false -# Virustotal output module -# +# VirusTotal output module +# You must signup for an api key. # #[output_virustotal] #api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef