Kippos Cousin Cowrie

We have mentioned Kippo a lot on the site, but a nice fork is a program called cowrie. (hxxps:// It has some nice new features including built-in support for Dshield! Since the install is the same as Kippo, I’ll skip that and point you to cowrie install guide for the basics (hxxps://


Dshield Setup

To setup Dshield logs on Ubuntu, you’ll need one additional python plugin installed.

>sudo apt-get install python-dateutil


Then we need to enable the Dshield portion. You need to remove ‘#’ from the part starting with the plugin name. You’ll also need your account info.  Once logged into ISC, go to My Accounts -> My reports.  Select Update info and you’ll see your  auth_key.


>vi /home/cowrie/cowrie.cfg



userid = 0123456789

auth_key = mysuperawesomekeycode

batch_size = 100


Once you have this setup, switch to the cowrie user and restart the service.To troubleshoot setup issues, look in /home/cowrie/log/cowrie.log


>fgrep dshield /home/cowrie/cowrie.log


2016-04-27 00:46:26+0000 [-] Loaded output engine: dshield


AppArmor Setup


To protect the OS, it's good to put some additional security controls around it.  My honeypot is running on Ubuntu, so I chose apparmor. You can access my cowrie profile on my github at hxxps://  While I could lock it down a bit more, it seems to work well.


Once you downloaded the file, you need to copy it to the AppArmor folder.  (NOTE: If you did not install cowrie in the /home/cowrie folder you must rename the profile to the appropriate folder.)

>sudo cp /home/user/download/ /etc/apparmor.d/


Now place the service into enforcement mode.

>sudo aa-enforce /etc/apparmor.d/


Now restart the cowrie service. Then check to see if it's being protected.



apparmor module is loaded.

5 profiles are loaded.

5 profiles are in enforce mode.






0 profiles are in complain mode.

2 processes have profiles defined.

2 processes are in enforce mode.

  /home/cowrie/ (25592)

  /sbin/dhclient (658)

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.


To get a better understanding of what the actual profile is allowing check out hxxp://


Sqlite3 Setup

I run my honeypots on very lean VMs (512mb RAM), so they will not run with MYSQL on them, but to get similar power cowrie has support for sqlite3!


Create database

>cd /home/cowrie

>sqlite3 cowrie.db

sqlite>.read /home/cowrie/doc/sql/sqlite3.sql


In cowrie.cfg

>vi /home/cowrie/cowrie.cfg



db_file = /home/cowrie/cowrie.db


Once you have restarted the service, everything should be ready to go. If you are new to SQLite a few useful commands to get you started are below.


>sqlite3 .schema

>sqlite3 .tables

>sqlite3 .quit


To access the database and get querying.


>sqlite3 /home/cowrie/cowrie.db


Query to see all connected sessions.

sqlite>select * from sessions;




To see what user/password combinations were used.

sqlite> select * from auth;




To see what commands the attacker ran at the command prompt.

sqlite> select * from input;


1|80ec8485|2016-04-21T19:50:10.746605Z||1|ps -ef


3|80ec8485|2016-04-21T19:50:13.832965Z||1|cat /tmp




I’ve enjoyed using cowrie on my latest setup with sqlite3.  Its been solid over the last week and have not ran into any issues.  



Tom Webb



60 Posts
ISC Handler
Apr 27th 2016

Sign Up for Free or Log In to start participating in the conversation!