Cowrie to Slack

Posted byinfosanity Leave a comment on Cowrie to Slack

I found myself with a rare 30mins this evening to twiddle my thumbs (between making pasta bake for the family and time to be reading bedtime stories), and attempted to tick a random task off my to-do list. As you may have guessed from the title, feeding activity from a Cowrie SSH honeypot into Slack.

Warnings first; whilst you can achieve the same end-goal, my experience suggests you may also come to regret it – consider yourselves warned….

@infosanity regrets everything we’re about to discuss….

Still here? Don’t say I didn’t warn you…

Components

As you might have guessed, we need:
* Cowrie Honeypot
* Slack Channel
* Slack Bot
* Not enough sense to heed my warning above…

Slack Channel

I’ll assume you already have a Slack Workspace in mind for the integration, setting this up is outside the scope of this write-up, I’ll leave that as an exercise for the reader. Once you’re ready choose an existing channel, or (preferably) create a dedicated channel.

With that selected, make a note of the Channel ID from the About tab on settings:

Slack Channel About settings, gathering Channel ID

Slack Bot

Next up, we need a Bot for integration. I’m far from a Slack specialists, so I’ll admit to get started I simply typed bot into the menu bar, and chose the helpful looking “Create a bot for your workspace” feature shown below.

From here I needed to set two components:

Slack Bot – OAuth Permissions

Admittedly this took me some trial and error, the Cowrie documentation for this feature isn’t the most verbose (or I failed to locate between oven alarms to deal with the next step for pasta bake); but eventually providing the permission of chat:write.public got the integration working.

Slack Bot – OAuth Token

Once permissions are set, and from the same page, finally install the token to your workspace and accept the integration when prompted; copying the resultant Token ID for the final step.

Cowrie Honeypot

If you’re this far, I’m going to assume you already have a functional Cowrie installation. If not, I can help with either a quick and dirty build script or a more mature (but still WIP) Terraform IaC deployment. Once running the configuration settings are in the main {cowrie-install-path}/etc/cowrie.cfg file, something like the below.

[output_slack]
enabled = true
channel = <CHANNEL_ID>
token = <BOT_TOKEN>
debug = false

And with that, a quick bin/cowrie stop & bin/cowrie start to reload, and you should be good.

But remember, just because you can do something, doesn’t mean it’s necessarily a good idea. Even Slack itself get’s sick of the notifications in short order. I take no responsibility for wearing out either your speakers or your sanity, ‘ere be digital dragons…..

Image


Andrew

Leave a comment

Your email address will not be published. Required fields are marked *