From aa3ebbdcef285f06afec002174011617124f76c2 Mon Sep 17 00:00:00 2001
From: lelonek1 <lelonek1@umbc.edu>
Date: Sun, 15 Nov 2015 23:54:47 -0500
Subject: [PATCH] Add support for overriding the reported SSH port and for
 reporting the public IP of the honeypot

These changes are adapted from ThreatStream's version of Kippo at https://github.com/threatstream/kippo/ (specifically commits ac2d7c0e907a75c1ee9d677d7a0badd925c6339a and 634d08bad8b1e9ae984487b8108a3d06f018043d).

Both options are disabled by default to preserve the current behavior of Cowrie.
---
 cowrie.cfg.dist      |  7 +++++++
 cowrie/core/dblog.py | 21 ++++++++++++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/cowrie.cfg.dist b/cowrie.cfg.dist
index 06a4093..20e9a1a 100644
--- a/cowrie.cfg.dist
+++ b/cowrie.cfg.dist
@@ -26,6 +26,13 @@
 # (default: 2222)
 #listen_port = 2222
 
+# Source Port to report in logs (useful if you use iptables to forward ports to cowrie)
+#reported_ssh_port = 22
+
+# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1)
+# IP address is obtained by querying http://myip.threatstream.com
+#report_public_ip = true
+
 # Hostname for the honeypot. Displayed by the shell prompt of the virtual
 # environment.
 #
diff --git a/cowrie/core/dblog.py b/cowrie/core/dblog.py
index 3dba45e..c221faf 100644
--- a/cowrie/core/dblog.py
+++ b/cowrie/core/dblog.py
@@ -49,6 +49,17 @@ class DBLogger(object):
             'KIPP0012': self.handleTTYLogClosed,
         }
 
+        self.reported_ssh_port = None
+        if self.cfg.has_option('honeypot', 'reported_ssh_port'):
+            self.reported_ssh_port = int(cfg.get('honeypot', 'reported_ssh_port'))
+
+        self.report_public_ip = False
+        if self.cfg.has_option('honeypot', 'report_public_ip'):
+            if cfg.get('honeypot', 'report_public_ip') == "true" or cfg.get('honeypot', 'report_public_ip') == "1":
+                self.report_public_ip = True
+                import urllib
+                self.public_ip = urllib.urlopen('http://myip.threatstream.com').readline()
+
         self.start(cfg)
 
     # used when the HoneypotTransport prefix is not available.
@@ -82,9 +93,17 @@ class DBLogger(object):
         # connection event is special. adds to list
         if ev['eventid'] == 'KIPP0001':
             sessionno = ev['sessionno']
+            peerIP, peerPort = ev['src_ip'], ev['src_port']
+            hostIP, hostPort = ev['dst_ip'], ev['dst_port']
+
+            if self.reported_ssh_port:
+                hostPort = self.reported_ssh_port
+            if self.report_public_ip:
+                hostIP = self.public_ip
+
             self.sessions[sessionno] = \
                 self.createSession(
-                    ev['src_ip'], ev['src_port'], ev['dst_ip'], ev['dst_port'])
+                    peerIP, peerPort, hostIP, hostPort)
             return
 
         # use explicit sessionno if coming from dispatch