cowrie/wardenfiler: Store credentials for both successful and unsuccessful attempts

Format used is [{"Username": "pavel", "Password": "pass"}]. There is an additional "Type": ["AcceptedByServer"] property, used for credentials which the honeypot allowed.

All attempted credentials are first stored in a session. Then, when the session is closed, they are stored in the aggregation under the AID key (the aggregation ID (AID) "src_ip,dst_ip"). The credentials are flushed from the aggregation when the aggregation window expires. They are included in the Attempt.Login event.

With the successful login (event type Intrusion.UserCompromise), only the accepted pair of username/password is sent with that event.

requested review from @daniel_studeny

assigned to @Pavel.Valach

changed the description

marked this merge request as draft

Marking as draft because it sends events with invalid credential assignment (Src IP address, where the credentials are recorded, does not match the one in the logs).

Found the cause (the flushing of aggregated entries), working on a fix.

added 2 commits

• 3a788e63 - cowrie/wardenfiler: Fix flushing out aggregated credentials
• 23d3df19 - cowrie/wardenfiler: Credentials - change "Accepted: True" to Type: ["AcceptedByServer"]

Compare with previous version

added 1 commit

• cccd60d7 - cowrie/wardenfiler: Credentials - change "Accepted: True" to Type: ["AcceptedByServer"]

Compare with previous version

added 1 commit

• 79d88b42 - cowrie/wardenfiler: Fix spurious aggregated "Credentials" with values from the...

Compare with previous version

changed the description

marked this merge request as ready

Tested the latest revision on real traffic, works as designed. Ready for review.