Cowrie (honeypot)

Not to be confused with Cowrie.

Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker. Cowrie also functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie was developed from Kippo.

Cowrie
Developer(s)	Michel Oosterhof
Repository	github.com/cowrie/cowrie
Available in	Python
License	New BSD
Website	www.cowrie.org

Reception

Cowrie has been referenced in published papers.^[1][2] The Book "Hands-On Ethical Hacking and Network Defense" includes Cowrie in a list of 5 commercial honeypots.^[3]

Prior uses

• Discussing a honeypot effort called the Project Heisenberg Cloud by Rapid7, Bob Rudis, the company's chief data scientist, told eWEEK, "There are custom Rapid7-developed low- and medium-interaction honeypots used within the framework, along with open-source ones, such as Cowrie."^[4]
• Doug Rickert has experimented with the open-source Cowrie SSH honeypot and wrote about it on Medium. Putting up a simple honeypot isn't difficult, and there are many open-source products besides Cowrie, including the original Honeyd to MongoDB and NoSQL honeypots, to ones that emulate web servers. Some appear to be SCADA or other more advanced applications.^[5]

Best practices

• Researchers at the SysAdmin, Audit, Network and Security (SANS) institute urged administrators and security researchers to run the latest version of Cowrie on a honeypot to monitor shifts in the type of passwords being scanned for and pattern of attacks on IoT devices.^[6][7][8]

Discussion and further resources

• Attack Detection and Forensics Using Honeypot in an IoT Environment calls Cowrie a "medium interaction honeypot" and describes results from using it for 40 days to capture "all communicated sessions in log files."^[9]
• The book Advances on Data Science also devotes chapter two to "Cowrie Honeypot Dataset and Logging."^[10]
• ICCWS 2018 13th International Conference on Cyber Warfare and Security describes using Cowrie.^[11]
• On the Move to Meaningful Internet Systems: OTM 2019 Conferences includes details of using Cowrie.^[12]
• Splunk, a security tool that can receive information from honeypots, outlines how to set up a honeypot using the open-source Cowrie package.^[13]