Skip to content

mindphluxnet/cowrie-logviewer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Build Status

cowrie-logviewer

A simple log viewer for the cowrie honeypot.

Since the JSON logs are split by day, you can select the log to view in the top right corner of the page. Some rudimentary statistics are available as well. Uploaded payloads can also be viewed and downloaded via the "Uploaded files" page.

Attacker IPs are run against a local MaxMind GeoIP database to find out which country they belong to. The results are cached in a sqlite database.

Installation

Assuming you installed cowrie into your home directory:

su cowrie
cd ~/../cowrie
git clone https://github.com/mindphluxnet/cowrie-logviewer
cd cowrie-logviewer

If you want, you can make the script executable:

chmod +x cowrie-logviewer.py

Prerequisites

pip install -r requirements.txt

MaxMind GeoLite 2 Country database setup

mkdir maxmind
cd maxmind
wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz
gunzip GeoLite2-Country.mmdb.gz
rm GeoLite2-Country.mmdb.gz

Configuration

Edit cowrie-logviewer.py to configure the script. There are several variables at the top of the file you can change:

  • "log_path" - the path to the cowrie log directory
  • "dl_path" - the path to the cowrie dl (downloads) directory
  • "maxmind_path" - the path to the MaxMind GeoLite 2 Country database. Default is "maxmind/GeoLite2-Country.mmdb"
  • "bind_host" - the IP address the web server should bind to, default 0.0.0.0
  • "bind_port" - the port the web server should listen to, default 5000
  • "min_upload_size" - min. file size in bytes to be to be listed on the "Uploaded files" page. Default is 1024
  • "debug" - if you want debug messages, set this to True. Default "False"
  • "use_gzip" - if you don't want gzip compression, set this to False. Default "True"
  • "filter_events" - a list of log events to filter. Default "[ 'cowrie.direct-tcpip.request', 'cowrie.direct-tcpip.data' ]"

Usage

python cowrie-logviewer.py

or (if you made the script executable)

./cowrie-logviewer.py

Once it's running, open

http://yourhostname:yourport

in the web browser of your choice. The default port is 5000.

Event filtering

Some log events can be quite annoying since they provide very little insight into what's actually happening but take up huge amounts of log lines. By default, cowrie-logviewer filters out events related to tcp/ip forwarding. I implemented this after having some idiot attempt to abuse my honeypot for some kind of tcp/ip forwarding exploit for about 24 hours straight. This caused the logs to become almost unreadable. Filtering these events removes that annoyance. Of course, the actual log files still contain these events so nothing is lost.

Local network connections

Since local network IPs aren't in the MaxMind database for obvious reasons, there's no flag icon attached to these connections. This isn't a bug, it's a feature.

Releases

No releases published

Packages

No packages published