← Back to all feeds

📋 Cowrie Honeypot Logs

Raw JSON logs from our Cowrie SSH/Telnet honeypots. Contains detailed information about attack sessions, commands executed, files downloaded, and attacker behavior.

ℹī¸ Note: These logs are in JSON format and contain sanitized data (honeypot IPs are masked). Use for research, analysis, and threat intelligence.

Cowrie JSON Logs

Raw honeypot session logs

Cowrie logs contain detailed information about SSH/Telnet attack sessions including:

  • Login attempts and credentials used
  • Commands executed by attackers
  • Files downloaded or uploaded
  • Session timings and durations
  • Client information and fingerprints

Cowrie log files are available in the /feeds/cowrie/ directory. Files are organized by date and follow the naming pattern: cowrie.json.YYYY-MM-DD

How to Use Cowrie Logs

Parse with jq:

#!/bin/bash
# Extract all commands from Cowrie logs

curl -s https://www.check-the-sum.fr/feeds/cowrie/cowrie.json.2025-01-16 | \
  jq -r 'select(.eventid=="cowrie.command.input") | .input'

# Extract failed login attempts
curl -s https://www.check-the-sum.fr/feeds/cowrie/cowrie.json.2025-01-16 | \
  jq -r 'select(.eventid=="cowrie.login.failed") | "\(.username):\(.password)"'

Analyze with Python:

#!/usr/bin/env python3
import requests
import json
from collections import Counter

# Download Cowrie logs
url = 'https://www.check-the-sum.fr/feeds/cowrie/cowrie.json.2025-01-16'
response = requests.get(url)

# Parse JSON lines
events = [json.loads(line) for line in response.text.strip().split('\n') if line]

# Analyze login attempts
usernames = [e['username'] for e in events if e.get('eventid') == 'cowrie.login.failed']
print("Top 10 attempted usernames:")
for user, count in Counter(usernames).most_common(10):
    print(f"{user}: {count} attempts")

Event Types:

Common Cowrie event IDs:
- cowrie.session.connect: New connection
- cowrie.login.success: Successful login
- cowrie.login.failed: Failed login attempt
- cowrie.command.input: Command executed
- cowrie.session.file_download: File downloaded
- cowrie.client.version: SSH client version
- cowrie.session.closed: Session ended