From 7b5c9d792d9d0bea2dad6946ca519882b874f310 Mon Sep 17 00:00:00 2001
From: lelonek1 <lelonek1@umbc.edu>
Date: Sun, 15 Nov 2015 23:34:43 -0500
Subject: [PATCH 1/2] Try to reconnect to the hpfeeds server if the connection
 is down when we are trying to send data. This way we recover from temporary
 network problems.

(cherry picked from commit e7dec5620100257fa56cec2a1858cbb4864a12a5 in threatstream/kippo)
---
 cowrie/dblog/hpfeeds.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cowrie/dblog/hpfeeds.py b/cowrie/dblog/hpfeeds.py
index 8faa152..f37aaa4 100644
--- a/cowrie/dblog/hpfeeds.py
+++ b/cowrie/dblog/hpfeeds.py
@@ -103,6 +103,9 @@ class hpclient(object):
 			self.handle_established()
 
 	def send(self, data):
+		if not self.s:
+			self.connect()
+
 		if not self.s: return
 		self.s.send(data)
 

From aa3ebbdcef285f06afec002174011617124f76c2 Mon Sep 17 00:00:00 2001
From: lelonek1 <lelonek1@umbc.edu>
Date: Sun, 15 Nov 2015 23:54:47 -0500
Subject: [PATCH 2/2] Add support for overriding the reported SSH port and for
 reporting the public IP of the honeypot

These changes are adapted from ThreatStream's version of Kippo at https://github.com/threatstream/kippo/ (specifically commits ac2d7c0e907a75c1ee9d677d7a0badd925c6339a and 634d08bad8b1e9ae984487b8108a3d06f018043d).

Both options are disabled by default to preserve the current behavior of Cowrie.
---
 cowrie.cfg.dist      |  7 +++++++
 cowrie/core/dblog.py | 21 ++++++++++++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/cowrie.cfg.dist b/cowrie.cfg.dist
index 06a4093..20e9a1a 100644
--- a/cowrie.cfg.dist
+++ b/cowrie.cfg.dist
@@ -26,6 +26,13 @@
 # (default: 2222)
 #listen_port = 2222
 
+# Source Port to report in logs (useful if you use iptables to forward ports to cowrie)
+#reported_ssh_port = 22
+
+# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1)
+# IP address is obtained by querying http://myip.threatstream.com
+#report_public_ip = true
+
 # Hostname for the honeypot. Displayed by the shell prompt of the virtual
 # environment.
 #
diff --git a/cowrie/core/dblog.py b/cowrie/core/dblog.py
index 3dba45e..c221faf 100644
--- a/cowrie/core/dblog.py
+++ b/cowrie/core/dblog.py
@@ -49,6 +49,17 @@ class DBLogger(object):
             'KIPP0012': self.handleTTYLogClosed,
         }
 
+        self.reported_ssh_port = None
+        if self.cfg.has_option('honeypot', 'reported_ssh_port'):
+            self.reported_ssh_port = int(cfg.get('honeypot', 'reported_ssh_port'))
+
+        self.report_public_ip = False
+        if self.cfg.has_option('honeypot', 'report_public_ip'):
+            if cfg.get('honeypot', 'report_public_ip') == "true" or cfg.get('honeypot', 'report_public_ip') == "1":
+                self.report_public_ip = True
+                import urllib
+                self.public_ip = urllib.urlopen('http://myip.threatstream.com').readline()
+
         self.start(cfg)
 
     # used when the HoneypotTransport prefix is not available.
@@ -82,9 +93,17 @@ class DBLogger(object):
         # connection event is special. adds to list
         if ev['eventid'] == 'KIPP0001':
             sessionno = ev['sessionno']
+            peerIP, peerPort = ev['src_ip'], ev['src_port']
+            hostIP, hostPort = ev['dst_ip'], ev['dst_port']
+
+            if self.reported_ssh_port:
+                hostPort = self.reported_ssh_port
+            if self.report_public_ip:
+                hostIP = self.public_ip
+
             self.sessions[sessionno] = \
                 self.createSession(
-                    ev['src_ip'], ev['src_port'], ev['dst_ip'], ev['dst_port'])
+                    peerIP, peerPort, hostIP, hostPort)
             return
 
         # use explicit sessionno if coming from dispatch