Draft: cowrie/wardenfiler: Store credentials for both successful and unsuccessful attempts (!10) · Merge requests · 713 / Warden / Warden Connectors

Pavel Valach requested to merge cowrie-credentials into master Dec 02, 2024

Format used is [{"Username": "pavel", "Password": "pass"}]. There is an additional "Type": ["AcceptedByServer"] property, used for credentials which the honeypot allowed.

All attempted credentials are first stored in a session. Then, when the session is closed, they are stored in the aggregation under the AID key (the aggregation ID (AID) "src_ip,dst_ip"). The credentials are flushed from the aggregation when the aggregation window expires. They are included in the Attempt.Login event.

With the successful login (event type Intrusion.UserCompromise), only the accepted pair of username/password is sent with that event.

Edited Dec 03, 2024 by Pavel Valach

Draft: cowrie/wardenfiler: Store credentials for both successful and unsuccessful attempts

Merge request reports