From 3fb6670a7384c7ee08deb4523788d2d64a06cc10 Mon Sep 17 00:00:00 2001
From: Pavel Valach <pavel.valach@cesnet.cz>
Date: Mon, 2 Dec 2024 18:43:38 +0100
Subject: [PATCH] cowrie/wardenfiler: Only send accepted credentials with the
 Intrusion.UserCompromise event

---
 cowrie/wardenfiler.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cowrie/wardenfiler.py b/cowrie/wardenfiler.py
index 342f1de..fa61cec 100644
--- a/cowrie/wardenfiler.py
+++ b/cowrie/wardenfiler.py
@@ -400,7 +400,8 @@ class Output(cowrie.core.output.Output):
                         attach["ContentEncoding"] = "base64"
                     event["Attach"] = [attach]
                 if self.sessions[s]["credentials"]:
-                    event["Credentials"] = self.sessions[s]["credentials"]
+                    accepted_creds = [ c for c in self.sessions[s]["credentials"] if "Accepted" in c ]
+                    event["Credentials"] = list(accepted_creds)
                 self.save_event(event)
             
             if s in self.sessions:
-- 
GitLab