Add support for overriding the reported SSH port and for reporting the public IP of the honeypot

These changes are adapted from ThreatStream's version of Kippo at https://github.com/threatstream/kippo/ (specifically commits ac2d7c0e907a75c1ee9d677d7a0badd925c6339a and 634d08bad8b1e9ae984487b8108a3d06f018043d). Both options are disabled by default to preserve the current behavior of Cowrie.
2026-01-03 06:14:21 +01:00 · 2015-11-15 23:54:47 -05:00
parent 7b5c9d792d
commit aa3ebbdcef
2 changed files with 27 additions and 1 deletions
--- a/cowrie.cfg.dist
+++ b/cowrie.cfg.dist
@@ -26,6 +26,13 @@
 # (default: 2222)
 #listen_port = 2222

+# Source Port to report in logs (useful if you use iptables to forward ports to cowrie)
+#reported_ssh_port = 22
+
+# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1)
+# IP address is obtained by querying http://myip.threatstream.com
+#report_public_ip = true
+
 # Hostname for the honeypot. Displayed by the shell prompt of the virtual
 # environment.
 #
--- a/cowrie/core/dblog.py
+++ b/cowrie/core/dblog.py
@@ -49,6 +49,17 @@ class DBLogger(object):
            'KIPP0012': self.handleTTYLogClosed,
        }

+        self.reported_ssh_port = None
+        if self.cfg.has_option('honeypot', 'reported_ssh_port'):
+            self.reported_ssh_port = int(cfg.get('honeypot', 'reported_ssh_port'))
+
+        self.report_public_ip = False
+        if self.cfg.has_option('honeypot', 'report_public_ip'):
+            if cfg.get('honeypot', 'report_public_ip') == "true" or cfg.get('honeypot', 'report_public_ip') == "1":
+                self.report_public_ip = True
+                import urllib
+                self.public_ip = urllib.urlopen('http://myip.threatstream.com').readline()
+
        self.start(cfg)

    # used when the HoneypotTransport prefix is not available.
@@ -82,9 +93,17 @@ class DBLogger(object):
        # connection event is special. adds to list
        if ev['eventid'] == 'KIPP0001':
            sessionno = ev['sessionno']
+            peerIP, peerPort = ev['src_ip'], ev['src_port']
+            hostIP, hostPort = ev['dst_ip'], ev['dst_port']
+
+            if self.reported_ssh_port:
+                hostPort = self.reported_ssh_port
+            if self.report_public_ip:
+                hostIP = self.public_ip
+
            self.sessions[sessionno] = \
                self.createSession(
-                    ev['src_ip'], ev['src_port'], ev['dst_ip'], ev['dst_port'])
+                    peerIP, peerPort, hostIP, hostPort)
            return

        # use explicit sessionno if coming from dispatch