From c07a5d6b182e9aaa7f5dfed936d925199fe9fe72 Mon Sep 17 00:00:00 2001 From: Michel Oosterhof Date: Mon, 4 Jan 2016 13:37:13 +0000 Subject: [PATCH] properly log SFTP uploads --- cowrie/core/fs.py | 4 +++- cowrie/core/output.py | 1 + cowrie/ssh/filetransfer.py | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/cowrie/core/fs.py b/cowrie/core/fs.py index c9c95d1..858258d 100644 --- a/cowrie/core/fs.py +++ b/cowrie/core/fs.py @@ -376,14 +376,16 @@ class HoneyPotFilesystem(object): return True if self.tempfiles[fd] is not None: shasum = hashlib.sha256(open(self.tempfiles[fd], 'rb').read()).hexdigest() - log.msg("SHA sum %s" % (shasum,)) shasumfile = self.cfg.get('honeypot', 'download_path') + "/" + shasum + log.msg(format='SFTP Uploaded file \"%(filename)s\" to %(outfile)s', + eventid='COW0017', filename=os.path.basename(self.filenames[fd]), outfile=shasumfile, shasum=shasum ) if (os.path.exists(shasumfile)): os.remove(self.tempfiles[fd]) else: os.rename(self.tempfiles[fd], shasumfile) os.symlink(shasum, self.tempfiles[fd]) self.update_realfile(self.getfile(self.filenames[fd]), shasumfile) + del self.tempfiles[fd] del self.filenames[fd] return os.close(fd) diff --git a/cowrie/core/output.py b/cowrie/core/output.py index bf54ff6..0709b13 100644 --- a/cowrie/core/output.py +++ b/cowrie/core/output.py @@ -52,6 +52,7 @@ import socket # COW0014 : direct-tcpip request # COW0015 : direct-tcpip data # COW0016 : key fingerprint +# COW0017 : SFTP uploaded file class Output(object): """ diff --git a/cowrie/ssh/filetransfer.py b/cowrie/ssh/filetransfer.py index f8198ae..d7f17ee 100644 --- a/cowrie/ssh/filetransfer.py +++ b/cowrie/ssh/filetransfer.py @@ -272,7 +272,7 @@ class SFTPServerForCowrieUser(object): def realPath(self, path): """ """ - log.msg("SFTP realPath: %s" % (path,)) + #log.msg("SFTP realPath: %s" % (path,)) return self.fs.realpath(self._absPath(path))