diff --git a/cowrie/wardenfiler.py b/cowrie/wardenfiler.py
index 8b9f6c567d4dad2434af5b9a7e0256dcdbcd33da..342f1de6b804f7f476a52b147b09d630080ca9fb 100644
--- a/cowrie/wardenfiler.py
+++ b/cowrie/wardenfiler.py
@@ -200,6 +200,7 @@ class Output(cowrie.core.output.Output):
)
entry["loggedin"] = False
+ entry["credentials"] = []
# AID - aggregation ID
entry["aid"] = aid = ','.join((entry["src_ip"], entry["dst_ip"]))
self.sessions[entry["session"]] = entry
@@ -247,19 +248,15 @@ class Output(cowrie.core.output.Output):
u, p = entry["username"], entry["password"]
s = entry["session"]
if s in self.sessions:
- aid = self.sessions[s]["aid"]
- self.sessions[s]["credentials"] = self.attackers_creds.get(aid, [])
- self.sessions[s]["credentials"].append({"Username": u, "Password": p, "Accepted": True})
self.sessions[s]["input"] = []
self.sessions[s]["loggedin"] = True
- self.attackers_creds[aid] = []
+ self.sessions[s]["credentials"].append({"Username": u, "Password": p, "Accepted": True})
elif entry["eventid"] == "cowrie.login.failed":
u, p = entry["username"], entry["password"]
s = entry["session"]
if s in self.sessions:
- aid = self.sessions[s]["aid"]
- self.attackers_creds[aid].append({"Username": u, "Password": p})
+ self.sessions[s]["credentials"].append({"Username": u, "Password": p})
elif entry["eventid"] == 'cowrie.command.input':
s = entry["session"]
@@ -405,4 +402,10 @@ class Output(cowrie.core.output.Output):
if self.sessions[s]["credentials"]:
event["Credentials"] = self.sessions[s]["credentials"]
self.save_event(event)
+
+ if s in self.sessions:
+ # Store attempted credentials (all) to the aggregation cache
+ aid = self.sessions[s]["aid"]
+ self.attackers_creds[aid].extend(self.sessions[s]["credentials"])
+ # Discard the session
self.sessions.pop(s, None)