fe7ch

It will be really nice to have this feature. It would be also a good idea to ship a tool that could make profile from the currently running enviroment, so...

@mzfr it's not. The problem is in fact that cowrie can't handle such command lines (i.e. multiple commands chained with logical OR or AND): `dd bs=52 count=1 if=.s || cat...

Nope, hajime doesn't really care about it. >I can no longer capture samples of it. Well, post your cowrie logs that corresponds to the hajime sessions and we'll investigate what...

1. It's hajime and it fails to detect arch 2. It's not a hajime

>On a normal system `\x0181c46036\x01# ` It depends. On my putty -> Ubuntu it behaves exactly like cowrie. Also, the trojan works just fine with the output of this command,...

>Is that expected output from cowrie? You don't have cowrie/honeyfs/bin/busybox file, so cowrie reports "not found" error intead of showing a context of the file.

>So do I just copy an existing busybox binary to cowrie in the honeyfs? You may copy there any file you want. >Why is it not there in the first...

Well, I think it's a flaw in the design :p By specifying umask for the cowrie process, I expect that all files it creates (logs/drops) to have permissions according to...

>Do you mean the "umask" parameter we pass in bin/cowrie? Yes I think it does work for most cowrie drops (at least it did, when I last time checked :)...

Yep, just checked. umask does affect permissions for drops too.