Cowrie – The overly talkative SSH honeypot

Records every keystroke, including their typos and existential crises.

Installation (Docker)

docker run -p 2222:2222 -v ~/cowrie/logs:/cowrie/cowrie-git/var/log/cowrie cowrie/cowrie

Configuration

Edit cowrie.cfg:

[ssh]
listen_port = 2222
fake_version = SSH-2.0-OpenSSH_7.6p1

Usage

tail -f ~/cowrie/logs/cowrie.json

The logs are hilariously verbose. Perfect for bedtime reading.

Integration

  • Slack alerts: Use jq to parse JSON logs + curl to Slack webhook

  • Suricata tagging:

# suricata.yaml  
eve-log:  
  types: [ssh]  
  ssh:  
    enabled: yes  
    tagged-packets: yes
Last update: 2025-05-19 17:28