How to process Cowrie output in kippo-graph

(Note: work in progress, instructions are not verified) Tested on Debian 9.

Prerequisites

  • Working Cowrie installation
  • LAMP stack (Linux, Apache, MySQL, PHP)

Installation

This covers a simple installation, with kippo-graph and Cowrie on the same server. Please see here for installation: https://github.com/ikoniaris/kippo-graph

MySQL configuration

Configuring Cowrie requires setting up the SQL tables and then telling Cowrie to use them.

To install the tables and create the Cowrie user account enter the following commands:

mysql -u root -p
CREATE DATABASE cowrie;
GRANT ALL ON cowrie.* TO 'cowrie'@'localhost' IDENTIFIED BY 'PASSWORD HERE';
FLUSH PRIVILEGES;
exit

Next create the database schema:

cd /opt/cowrie/
mysql -u cowrie -p
USE cowrie;
source ./docs/sql/mysql.sql;
exit

disable MySQL strict mode:

vi /etc/mysql/conf.d/disable_strict_mode.cnf

[mysqld]
sql_mode=IGNORE_SPACE,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

Cowrie configuration

Edit cowrie.cfg:

vi /opt/cowrie/cowrie.cfg

Activate output to mysql:

[output_mysql]
host = localhost
database = cowrie
username = cowrie
password = PASSWORD HERE
port = 3306
debug = false

Set read access to tty-files for group www-data (group maybe differ on other distributions):

sudo apt-get install acl
sudo setfacl -Rm g:www-data:rx /opt/cowrie/var/lib/cowrie/tty/

kippo-graph Configuration

Edit config file:

vi /var/www/html/kippo-graph/config.php

Change db settings:

define('DB_HOST', 'localhost');
define('DB_USER', 'cowrie');
define('DB_PASS', 'PASSWORD HERE');
define('DB_NAME', 'cowrie');
define('DB_PORT', '3306');

Apache2 configuration (optional)

To secure the installation

Create password database:

cd /etc/apache2/
htpasswd -c /etc/apache2/cowrie.passwd <username>
htpasswd /etc/apache2/cowrie.passwd <username> (second user)


vi /etc/apache2/sites-enabled/000-default.conf

Between the <VirtualHost> </VirtualHost> tags, add:

<Location />
    AuthBasicAuthoritative On
    AllowOverride AuthConfig

    AuthType Basic
    AuthName "cowrie honeypot"
    AuthUserFile /etc/apache2/cowrie.passwd
    Require valid-user
</Location>