kippo-graph
kippo-graph copied to clipboard
ikoniaris
Kippo-play.php - No session replay?
http://i.imgur.com/fhOjo00.png
I'm unable to get any playback from sessions on my installation. I'm using Cowrie and kippo-graphs with MySQL.
PHP: 5.4.45-0+deb7u2 MySQL: Server version: 5.5.47-0+deb7u1 (Debian) Apache: Server version: Apache/2.2.22 (Debian)
Also experiencing this issue.
No errors in apache logs and all other instructions followed. Everything else works perfectly, except playlogs. Just a black screen.
http://puu.sh/ohwd1/a73a157f65.png
I tried with Chrome, Firefox and Safari as well. Same results.
@ecapuano does this happen for all captured sessions? Are you using kippo or cowrie?
@ikoniaris yes all captured sessions, and I am running cowrie (perhaps that is my mistake?)
@ecapuano Maybe. I think corwie and kippo save the sessions differently on disk. I'll have to test it somehow...
@micheloosterhof can you confirm is kippo and cowrie save the sessions differently on disk? (I think different encoding or something?)
TTY logs should be exactly the same. Text logs have probably changed.
On Sunday, 24 April 2016, Ioannis [email protected] wrote:
@micheloosterhof https://github.com/micheloosterhof can you confirm is kippo and cowrie save the sessions differently on disk? (I think different encoding or something?)
— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/ikoniaris/kippo-graph/issues/44#issuecomment-213830946
Also having issues, Pulled both from git on to a clean box using an external SQL server
playlog page is blank and clicking play from somewhere else reveals this.
@Locknlol @ecapuano @kevthehermit just to confirm, this seems to be happening only for cowrie, right?
Confirming Latest Pull from Cowrie is what i am running and getting this error.
I was also using cowrie, but I didn't get that error. I got a blank black box where the console replay should've been.
On Jun 21, 2016, at 08:44, kevthehermit [email protected] wrote:
Confirming Latest Pull from Cowrie is what i am running and getting this error.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
I am also unable to get playlog with cowrie I see that cowrie does write differently on the ttylog table see below in my case i dont see the entry show up in the playlog page but in other pages like kippo-input there is data populated from cowrie
30 d5a493d85c3411e6b39a370cc074daee [BLOB - 855 B]
Here is how cowrie writes to the db 7d0c9ac2 log/tty/20160808-122819-7d0c9ac2-0i.log 817
You can see there's a little '0i' at the end of the Cowrie log. The 0 is for the 0'th (or first) session, the 'i' is for interactive logins. There are sometimes multiple shell sessions within a single SSH session, that's why the extra characters are added. The full name of the tty log is written to the normal/json log files, so Kippo-Graph should be changed to pick up the name of the ttylog there, rather than assuming it's always the session id.
System: Linux: CentOS 7.2 kippo-graph: latest commit Cowrie: Commit 45022b7 (see https://github.com/micheloosterhof/cowrie/issues/309)
I get the folling error when i try to play playlog (most of them, single playworks works): "Issue using JavaScript playback and having multiple log (6 files)."
I think cowrie generates multiple logs in log/tty/ for same [attacker...] Change PLAYBACK_SYSTEM to PYTHON create some wonderful output ...
There are some interesting logs in apache-error.log (Setting: PYTHON): python: can't open file '/opt/cowrie/utils/playlog.py': [Errno 2] No such file or directory python: can't open file '/opt/cowrie/utils/playlog.py': [Errno 2] No such file or directory
After changing kippo-play.php i get some more output:
#$log .= shell_exec("python /opt/cowrie/utils/playlog.py -m 0 " . $log_path);
$log .= shell_exec("python /opt/cowrie/bin/playlog -m 0 " . $log_path);
This isn't really perfect but maybe an beginning ;)
Actually that looks like it's working correctly!
On 7 November 2016 at 14:31, erdo_king [email protected] wrote:
System: Linux: CentOS 7.2 kippo-graph: latest commit Cowrie: Commit 45022b7 (see micheloosterhof/cowrie#309
https://github.com/micheloosterhof/cowrie/issues/309)
I get the folling error when i try to play playlog (most of them, single playworks works): "Issue using JavaScript playback and having multiple log (6 files)."
I think cowrie generates multiple logs in log/tty/ for same [attacker...] Change PLAYBACK_SYSTEM to PYTHON create some wonderful output ...
[image: screenshot-area-2016-11-07-111510] https://cloud.githubusercontent.com/assets/4353314/20054098/a860c244-a4db-11e6-8abe-72c2ba1a814b.png
There are some interesting logs in apache-error.log (Setting: PYTHON): python: can't open file '/opt/cowrie/utils/playlog.py': [Errno 2] No such file or directory python: can't open file '/opt/cowrie/utils/playlog.py': [Errno 2] No such
file or directory
After changing kippo-play.php i get some more output:
#$log .= shell_exec("python /opt/cowrie/utils/playlog.py -m 0 " . $log_path); $log .= shell_exec("python /opt/cowrie/bin/playlog -m 0 " . $log_path);
[image: screenshot-area-2016-11-07-112921] https://cloud.githubusercontent.com/assets/4353314/20054512/7ae9f874-a4dd-11e6-87dc-b378f24725a2.png
This isn't really perfect but maybe an beginning ;)
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ikoniaris/kippo-graph/issues/44#issuecomment-258800308, or mute the thread https://github.com/notifications/unsubscribe-auth/ABA4g5ANYvQQROdhxusqbwKWX3UO3VT4ks5q7v4ZgaJpZM4Ho78V .
I followed the instructions above, but am not getting playback. Side note: I have not installed cowrie globally, and am running it under the user 'cowrie' (/home/cowrie/cowrie). While kippo-graphs is installed under www-data (/var/www/html/cowrie)
http://i.imgur.com/rYEXxPE.png
3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux
I experience the same bug. I use Cowrie and instead of playing log I only have a black screen. Any progress in solving this?
I had this issue as well. For me the problem was twofold.
- the kippo-play.php has the python playback.py hard-coded to
python /opt/cowrie/utils/playlog.py -m 0
I followed the instructions on the cowrie github and have it installed to /home/cowrie/cowrie.
The playlog.py is no longer a .py file either.
Fix
Change:
$log .= shell_exec("python /opt/cowrie/utils/playlog.py -m 0 " . $log_path);
To:
$log .= shell_exec("/home/cowrie/cowrie/bin/playlog -m 0 " . $log_path);
- I followed the instructions for installing Kippo-Graph (originally) and later just cloned this repo because despite being the same version there are significant changes to this repo. The config file now accounts for the differences between cowrie and kippo. One of the changes being that it asks for define('BACK_END_ENGINE', 'COWRIE'); and define("BACK_END_PATH", "/home/cowrie/cowrie");
If you leave BACK_END_ENGINE to Kippo the playback page will load some information; however, it will not show the playback. So, that needs to be changed to Cowrie (for cowrie installations). Also because the back_end_path is NOT /opt/cowrie that has to be changed as well. This will require the full path do your cowrie installation
/home/cowrie/cowrieWere not done yet! The logs will still fail the is_readable() check in the kippo-play.php. The web page is being served by the user www-data and that user does not have permissions to those files. It can check if they exist, but it cannot read them. I was able to do a recursive chmod to the log directory (777 for testing) and the the playback works! Problem is all future logs are not being generated with those permissions:
-rwxrwxrwx 1 cowrie cowrie 34264 Apr 4 15:42 20170404-153901-03bb41ba-0i.log -rwxrwxrwx 1 cowrie cowrie 33606 Apr 4 16:02 20170404-155936-9f484266-0i.log -rw------- 1 cowrie cowrie 34258 Apr 4 16:19 20170404-161646-42ea8d51-0i.log -rw------- 1 cowrie cowrie 34264 Apr 4 16:21 20170404-161846-c4a389c0-0i.log
The logs will occasionally have to have their permissions updated. Once they have they will be playable.
These fixes are not entirely on kippo-graph to implement. But for anyone trying to figure out why their logs won't play, this is what worked for me.
Sorry about my poor English.I experience the same issue, also using cowrie and mysql. Change PLAYBACK_SYSTEM to PYTHON can be get some output too.
I read those log files that could not be played with javascript, It's looks like they didn't logged any input, and each of the output saved to a separate log file.
But when i try to login to my cowrie-system on my own, all input and output can be correctly logged into the same log file, and also can be played with javascript. I still don‘t know what caused this difference, but I hope this can help solve this problem.
@viemmsakh About you second problem, Has it been resolved? If not yet resolved, i think you can try change COWRIE_DIR/log/tty directory's group to www-data, and use 'sudo chmod g+s COWRIE_DIR/log/tty' to give it sgid. This should allow it to automatically save user www-data readable log files.
Hi all, I am not able to get any playback in the kippo-playlog. All of my data is populating in the graphs, however I cannot get the playback to produce anything. The only item on the kippo-playlog tab is "Replay input by attackers captured by the honeypot system" with nothing under it. I am using cowrie along with the kippo-graphs. Any help is appreciated. Thanks!
Hello,
Firstly there is no directory called "utils" in the cowrie distribution so obviously pointing to it wilk fail.Kippo-graph nice little script nice work allthrough it is getting outdated i get lots of errors in my php error_log most of them are related due to changes in more recent PHP versions.
As far as i know the user "www-data" does not exist on all linux distributions i believe "www-data" is an ubuntu (and debian)thing on centos for example this is nobody a command like
ps -ef | egrep '(httpd|apache2|apache)' | grep -v whoami | grep -v root | head -n1 | awk '{print $1}'
can help getting the right value.
