Mapping Cowrie to CybOX

Cyber security is a vast and interesting field where you can find new terms, processes and systems every day. Well, in our case the terms “COWRIE”, “CybOX” are not that unknown terms to a cyber-security student,
analyst etc. But we’ll have a little introduction about it.

Cowrie

Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. It is developed by Michel Oosterhof.

CybOX

“The Cyber Observable expression (CybOX™) is a standardized language for encoding and communicating high-fidelity information about cyber observables, whether dynamic events or stateful measures that are
observable in the operational cyber domain.”

It is what written in their website https://cyboxproject.github.io . In simple words we can say that CybOX is a tool or set of vocabulary by which we can define any event (e.g deleting a file, setting up http connection etc.) in a standard given by CybOX. The usefulness of this CybOX is to gather raw information and transform it in a standard having a global understanding language (XML or JSON) which can be,

  • Easily understood
  • Easily shared
  • Easily acted upon (comes in STIX domain)

As IT has enabled to share never ending information on internet which has increased the risk of “manipulating” with these information in many ways (simply hacking). So, to search for malicious information (e.g. unauthorized access, malicious IP’s, intrusion information etc.) it is very hard and time consuming for cyber-security analyst to extract data from raw information. So, in cyber-security field (especially in Threat Intelligence) CybOX is of extremely high importance. After standardizing with CybOX, afterwards work is done define Indicators, Attack patterns, Course of Action etc.

Mapping

Mapping in CybOX means, simply “to define a raw information into standard”. So, I gathered raw Information from Cowrie log files and mapped that with CybOX.

Tools Used

1. Python (3.6)

· Cybox package (2.1.0.17) which require following libraries:

  • lxml
  • python-dateutil
  • setuptools

Manual mapping

First Step of mapping was to look through the raw information given in cowrie log files, and extract the information that is useful / important. As it looks time taking but actually it is not, because one type of information (with different internal information) is repeated many times.

An example of manual mapping is given below:

Raw Information

Sensor= mae, IP=172.20.16.34
{
"eventid":"cowrie.login.success",
"username":"admin",
"timestamp":"2018-02-27T12:10:31.538462Z",
"message":"login attempt [admin/12345] succeeded",
"system":"SSHService 'ssh-userauth' on HoneyPotSSHTransport,1,172.20.16.25",
"isError":0,
"src_ip":"172.20.16.25",
"session":"8e83551f43c6",
"password":"12345",
"sensor":"mae"
}

Manual Mapping

Items

STIX Standard

Event ID Schema/

Object:

Type
CYBOX CORE SCHEMA EventType Fields Type
@id QName
Type ControlledVocabularyStringType
username Schema/

Object:

Type
USER ACCOUNT OBJECT SCHEMA UserAccountObjectType Fields Type
Username

 

StringObjectPropertyType
timestamp Schema/

Object:

Type
CYBOX COMMON SCHEMA TimeType Fields

 

Type

 

Received_Time DateTimeWithPrecisionType
message Schema/

Object:

Type
Fields Type
system Schema/

Object:

Type
SYSTEM OBJECT SCHEMA SystemObjectType Fields Type
Hostname StringObjectPropertyType
isError Schema/

Object:

Type
CYBOX COMMON SCHEMA Error Type Fields Type
Error_Count integer
Error_Type string
src_ip Schema/

Object:

Type
ADDRESS OBJECT SCHEMA AddressObjectType Fields Type
Address_Value StringObjectPropertyType
session Schema/

Object:

Type
Fields Type
password Schema/

Object:

Type
ACCOUNT OBJECT SCHEMA AuthenticationType Fields

 

Type

 

Authentication_Data StringObjectPropertyType
Authentication_Type ControlledVocabularyStringType
sensor Schema/

Object:

Type
SYSTEM OBJECT SCHEMA SystemObjectType Fields Type
Hostname StringObjectPropertyType

As, there cannot be a standard for every set of information, so we can do
following two things:

  • Ignore unimportant information
  • Create our own custom objects and properties.

Actual Mapping:

Actual mapping is the real mapping which gives the end result. I have done
it using the tools described in “Tools” section. I mapped cowrie.json.log
file with CybOX which can transform any cowrie.json.log file to CybOX
standardization. Results are shown below:

COWRIE.json.log File:

Just a snapshot:

Mapped File:

Just a snapshot:

Result

As we can see a lot of differences between the raw file and the mapped
file, as we discussed in introductory section, we can now confirm that the
mapped file is:

  • Globally understandable
  • Can be Easily shared

· Can be easily Easily acted upon (define indicators, course of action etc.)

Thank you for reading this article. If you have any suggestion, correction or if you need help you can contact me or you can comment below.

Leave a Reply

Your email address will not be published. Required fields are marked *