From c4300b84233af5bfaf0cbcc89f8b5ccd493b32e1 Mon Sep 17 00:00:00 2001
From: Pavel Valach <pavel.valach@cesnet.cz>
Date: Mon, 2 Dec 2024 18:26:06 +0100
Subject: [PATCH] cowrie/wardenfiler: Credentials aggregation change

First, store the credentials into the session info.
If the login succeeds, only the credentials from that login session will be sent.

Store all of the attempted credentials in aggregation buffer.

When the aggregation window expires and the event is flushed,
send the aggregated credentials to Warden.
---
 cowrie/wardenfiler.py | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/cowrie/wardenfiler.py b/cowrie/wardenfiler.py
index 8b9f6c5..342f1de 100644
--- a/cowrie/wardenfiler.py
+++ b/cowrie/wardenfiler.py
@@ -200,6 +200,7 @@ class Output(cowrie.core.output.Output):
             )
 
             entry["loggedin"] = False
+            entry["credentials"] = []
             # AID - aggregation ID
             entry["aid"] = aid = ','.join((entry["src_ip"], entry["dst_ip"]))
             self.sessions[entry["session"]] = entry
@@ -247,19 +248,15 @@ class Output(cowrie.core.output.Output):
             u, p = entry["username"], entry["password"]
             s = entry["session"]
             if s in self.sessions:
-                aid = self.sessions[s]["aid"]
-                self.sessions[s]["credentials"] = self.attackers_creds.get(aid, [])
-                self.sessions[s]["credentials"].append({"Username": u, "Password": p, "Accepted": True})
                 self.sessions[s]["input"] = []
                 self.sessions[s]["loggedin"] = True
-                self.attackers_creds[aid] = []
+                self.sessions[s]["credentials"].append({"Username": u, "Password": p, "Accepted": True})
 
         elif entry["eventid"] == "cowrie.login.failed":
             u, p = entry["username"], entry["password"]
             s = entry["session"]
             if s in self.sessions:
-                aid = self.sessions[s]["aid"]
-                self.attackers_creds[aid].append({"Username": u, "Password": p})
+                self.sessions[s]["credentials"].append({"Username": u, "Password": p})
 
         elif entry["eventid"] == 'cowrie.command.input':
             s = entry["session"]
@@ -405,4 +402,10 @@ class Output(cowrie.core.output.Output):
                 if self.sessions[s]["credentials"]:
                     event["Credentials"] = self.sessions[s]["credentials"]
                 self.save_event(event)
+            
+            if s in self.sessions:
+                # Store attempted credentials (all) to the aggregation cache
+                aid = self.sessions[s]["aid"]
+                self.attackers_creds[aid].extend(self.sessions[s]["credentials"])
+            # Discard the session
             self.sessions.pop(s, None)
-- 
GitLab