We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi team,
The aim of this issue is related to the need to add new rules for Cowrie logs to be triggered. There are some examples of JSON Cowrie logs:
{"eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-09-05T14:24:20.903909Z", "message": "login attempt [root/] succeeded", "src_ip": "222.112.82.68", "session": "d051258efd62", "password": "", "sensor": "honeypot-ssh"} {"eventid": "cowrie.login.failed", "username": "raspberry", "timestamp": "2018-09-05T13:52:42.584350Z", "message": "login attempt [raspberry/admin] failed", "src_ip": "193.201.224.214", "session": "5d77535d8ac4", "password": "admin", "sensor": "honeypot-ssh"} {"eventid": "cowrie.command.input", "timestamp": "2018-09-05T13:56:32.039222Z", "message": "CMD: ll", "src_ip": "116.227.2.205", "session": "61e431803b56", "input": "ll", "sensor": "honeypot-ssh"} {"eventid": "cowrie.client.version", "session": "dd98054a9b17", "timestamp": "2018-09-12T14:18:40.226440Z", "message": "Remote SSH version: 'SSH-2.0-OpenSSH_7.3'", "src_ip": "5.188.86.198", "version": "'SSH-2.0-OpenSSH_7.3'", "sensor": "honeypot-ssh"}
And here, how is the output currently:
{"eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-09-05T14:24:20.903909Z", "message": "login attempt [root/] succeeded", "src_ip": "222.112.82.68", "session": "d051258efd62", "password": "", "sensor": "honeypot-ssh"} **Phase 1: Completed pre-decoding. full event: '{"eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-09-05T14:24:20.903909Z", "message": "login attempt [root/] succeeded", "src_ip": "222.112.82.68", "session": "d051258efd62", "password": "", "sensor": "honeypot-ssh"}' timestamp: '(null)' hostname: 'master' program_name: '(null)' log: '{"eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-09-05T14:24:20.903909Z", "message": "login attempt [root/] succeeded", "src_ip": "222.112.82.68", "session": "d051258efd62", "password": "", "sensor": "honeypot-ssh"}' **Phase 2: Completed decoding. decoder: 'json' eventid: 'cowrie.login.success' username: 'root' timestamp: '2018-09-05T14:24:20.903909Z' message: 'login attempt [root/] succeeded' src_ip: '222.112.82.68' session: 'd051258efd62' password: '' sensor: 'honeypot-ssh' {"eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-09-05T14:24:20.903909Z", "message": "login attempt [root/] succeeded", "src_ip": "222.112.82.68", "session": "d051258efd62", "password": "", "sensor": "honeypot-ssh"}
Regards, Elias
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Hi team,
The aim of this issue is related to the need to add new rules for Cowrie logs to be triggered.
There are some examples of JSON Cowrie logs:
And here, how is the output currently:
Regards,
Elias
The text was updated successfully, but these errors were encountered: