跟鐵人賽一樣，花 80% 的時間找到梗圖就快完成了

本篇開始按照官方的文件操作。只要做好上一篇的前置作業，基本上與官方文件並無差異的地方。唯一要注意的就是執行指令時，要了解當下的使用者，視情況才要 sudo 切到 root 權限。

安裝資料庫連接套件

切換到 cowrie 使用者，安裝資料庫的連接 python 套件

debian@debian:~$ sudo su - cowrie
cowrie@debian:~$ source cowrie/cowrie-env/bin/activate
(cowrie-env) cowrie@debian:~$ pip install mysql-connector-python
Collecting mysql-connector-python
  Downloading mysql_connector_python-8.0.30-cp39-cp39-manylinux1_x86_64.whl (25.4 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 25.4/25.4 MB 14.7 MB/s eta 0:00:00
Collecting protobuf<=3.20.1,>=3.11.0
  Downloading protobuf-3.20.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl (1.0 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.0/1.0 MB 21.6 MB/s eta 0:00:00
Installing collected packages: protobuf, mysql-connector-python
Successfully installed mysql-connector-python-8.0.30 protobuf-3.20.1

建立 Cowrie 用的資料庫

以有 sudo 的使用者，執行 mysql 指令建立相關的資料庫、資料表及指派權限給 cowrie 。

sudo mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 42
Server version: 10.5.15-MariaDB-0+deb11u1 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE cowrie;
Query OK, 1 row affected (0.000 sec)

MariaDB [(none)]> GRANT ALL ON cowrie.* TO 'cowrie'@'localhost' IDENTIFIED BY 'cowriecowrie';
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> exit
Bye

再執行內建的 sql 建立 schema

記得在 cowrie 的使用者下執行

sudo su - cowrie
cd /home/cowrie/cowrie/docs/sql
debian@debian:/home/cowrie/cowrie/docs/sql$ mysql -u cowrie -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 45
Server version: 10.5.15-MariaDB-0+deb11u1 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> USE cowrie;
Database changed
MariaDB [cowrie]> source mysql.sql;
Query OK, 0 rows affected (0.065 sec)

Query OK, 0 rows affected (0.003 sec)

Query OK, 0 rows affected (0.003 sec)

Query OK, 0 rows affected (0.003 sec)

Query OK, 0 rows affected (0.004 sec)

Query OK, 0 rows affected (0.002 sec)

Query OK, 0 rows affected (0.004 sec)

Query OK, 0 rows affected (0.002 sec)

Query OK, 0 rows affected (0.002 sec)

Query OK, 0 rows affected (0.003 sec)
Records: 0  Duplicates: 0  Warnings: 0

Query OK, 0 rows affected (0.003 sec)

Query OK, 0 rows affected (0.005 sec)

MariaDB [cowrie]> exit
Bye

修改 Cowrie 對資料庫的連線

編輯 cowrie.cfg 檔

sudo nano /home/cowrie/cowrie/etc/cowrie.cfg

確認以下內容符合安裝好的 MariaDB，如果都有按照以上操作，只需要修改 password 的地方。

[output_mysql]
host = localhost
database = cowrie
username = cowrie
password = cowriecowrie
port = 3306
debug = false
enabled = true

再重啟 Cowrie

/home/cowrie/cowrie/bin/cowrie restart

查看 log 是否 Cowrie 有成功輸出到 mysql

cd ~/cowrie/var/log/cowrie/
cowrie@debian:~/cowrie/var/log/cowrie$ tail cowrie.log
2022-10-05T00:21:40.583182Z [-] Python Version 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
2022-10-05T00:21:40.583225Z [-] Twisted Version 22.4.0
2022-10-05T00:21:40.583243Z [-] Cowrie Version 2.3.0
2022-10-05T00:21:40.597878Z [-] Loaded output engine: jsonlog
2022-10-05T00:21:40.648687Z [-] Loaded output engine: mysql

出現「Loaded output engine: mysql」即代表成功。

測試 Cowrie 輸出至資料庫的資料

都設定無誤後，從另一台進行連線測試 SSH，再回來看資料庫中記錄的數據

cowrie@debian:~/cowrie/var/log/cowrie$ mysql -u cowrie -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 47
Server version: 10.5.15-MariaDB-0+deb11u1 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> USE cowrie;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [cowrie]> SELECT * FROM auth;
MariaDB [cowrie]> SELECT * FROM auth;
+----+--------------+---------+----------+----------+---------------------+
| id | session      | success | username | password | timestamp           |
+----+--------------+---------+----------+----------+---------------------+
|  1 | f5157dea290c |       1 | root     | 1234     | 2022-10-05 01:21:28 |
|  2 | eefa77354b76 |       1 | root     | 1234     | 2022-10-05 01:21:28 |
|  3 | 0780a00355b7 |       0 | mysql    | mysql    | 2022-10-05 01:21:41 |
+----+--------------+---------+----------+----------+---------------------+
3 rows in set (0.000 sec)

完成收工!
有興趣的可以再去以下的表格，查看其他記錄的數據。
+------------------+
| Tables_in_cowrie |
+------------------+
| auth |
| clients |
| downloads |
| input |
| ipforwards |
| ipforwardsdata |
| keyfingerprints |
| params |
| sensors |
| sessions |
| ttylog |
+------------------+

參考資料

官方輸出至 MySQL 的文件