cowrie/wardenfiler: Store credentials for both successful and unsuccessful attempts

Format used is [{"Username": "pavel", "Password": "pass"}]. There is an additional "Type": ["AcceptedByServer"] property, used for credentials which the honeypot allowed.

All attempted credentials are first stored in a session. Then, when the session is closed, they are stored in the aggregation under the AID key (the aggregation ID (AID) "src_ip,dst_ip"). The credentials are flushed from the aggregation when the aggregation window expires. They are included in the Attempt.Login event.

With the successful login (event type Intrusion.UserCompromise), only the accepted pair of username/password is sent with that event.

cowrie/wardenfiler.py

@@ -209,11 +209,12 @@ class Output(cowrie.core.output.Output):
             # aggregated credentials from attempts
             if not self.attackers_creds.get(aid):
                 self.attackers_creds[aid] = []
-            creds = self.attackers_creds[aid]
 
             if (time() - ws < self.aggr_win):
                 self.attackers[aid] = cnt + 1
             else:
+                # This flushes out ALL the aggregated events!
+                # NOTE: The AID, and its values, are no longer relevant for this part of code!
                 event["Node"][0]["AggrWin"] = strftime("%H:%M:%S", gmtime(float(self.aggr_win)))
                 event["WinStartTime"] = datetime.utcfromtimestamp(ws).isoformat() + 'Z'
                 event["WinEndTime"] = datetime.utcfromtimestamp(ws + self.aggr_win).isoformat() + 'Z'
@@ -222,6 +223,7 @@ class Output(cowrie.core.output.Output):
                 for i, c in self.attackers.items():
                     a_src_ip, a_dst_ip = i.split(',')
                     a_af = "IP4" if not ':' in a_src_ip else "IP6"
+                    a_creds = self.attackers_creds.get(i, [])
                     event["ID"] = str(uuid4())
                     event["DetectTime"] = event["WinEndTime"]
                     event["ConnCount"] = c
@@ -229,10 +231,11 @@ class Output(cowrie.core.output.Output):
                     event["Target"] = [{"Proto": ["tcp", "ssh"], a_af: [a_dst_ip]}]
                     if (self.anon_mask_4 < 32 and a_af == "IP4") or (self.anon_mask_6 < 128):
                         event["Target"][0]["Anonymised"] = True
-                    if creds:
-                        event["Credentials"] = creds
+                    if a_creds:
+                        event["Credentials"] = a_creds
                     self.save_event(event)
                 self.attackers = {}
+                self.attackers_creds = {}
                 ws = time()
                 self.attackers[aid] = 1
                 self.attackers_creds[aid] = []