cowrie/wardenfiler.py

@@ -209,11 +209,12 @@ class Output(cowrie.core.output.Output):
             # aggregated credentials from attempts
             if not self.attackers_creds.get(aid):
                 self.attackers_creds[aid] = []
-            creds = self.attackers_creds[aid]
 
             if (time() - ws < self.aggr_win):
                 self.attackers[aid] = cnt + 1
             else:
+                # This flushes out ALL the aggregated events!
+                # NOTE: The AID, and its values, are no longer relevant for this part of code!
                 event["Node"][0]["AggrWin"] = strftime("%H:%M:%S", gmtime(float(self.aggr_win)))
                 event["WinStartTime"] = datetime.utcfromtimestamp(ws).isoformat() + 'Z'
                 event["WinEndTime"] = datetime.utcfromtimestamp(ws + self.aggr_win).isoformat() + 'Z'
@@ -222,6 +223,7 @@ class Output(cowrie.core.output.Output):
                 for i, c in self.attackers.items():
                     a_src_ip, a_dst_ip = i.split(',')
                     a_af = "IP4" if not ':' in a_src_ip else "IP6"
+                    a_creds = self.attackers_creds.get(i, [])
                     event["ID"] = str(uuid4())
                     event["DetectTime"] = event["WinEndTime"]
                     event["ConnCount"] = c
@@ -229,10 +231,11 @@ class Output(cowrie.core.output.Output):
                     event["Target"] = [{"Proto": ["tcp", "ssh"], a_af: [a_dst_ip]}]
                     if (self.anon_mask_4 < 32 and a_af == "IP4") or (self.anon_mask_6 < 128):
                         event["Target"][0]["Anonymised"] = True
-                    if creds:
-                        event["Credentials"] = creds
+                    if a_creds:
+                        event["Credentials"] = a_creds
                     self.save_event(event)
                 self.attackers = {}
+                self.attackers_creds = {}
                 ws = time()
                 self.attackers[aid] = 1
                 self.attackers_creds[aid] = []
@@ -250,7 +253,7 @@ class Output(cowrie.core.output.Output):
             if s in self.sessions:
                 self.sessions[s]["input"] = []
                 self.sessions[s]["loggedin"] = True
-                self.sessions[s]["credentials"].append({"Username": u, "Password": p, "Accepted": True})
+                self.sessions[s]["credentials"].append({"Username": u, "Password": p, "Type": ["AcceptedByServer"]})
 
         elif entry["eventid"] == "cowrie.login.failed":
             u, p = entry["username"], entry["password"]