From bdaee9e1c7ba5ba53aeca11d32734f23ad8254f1 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Wed, 28 Feb 2018 17:41:29 +0100
Subject: [PATCH] add: Cowrie honeypot object template

---
 objects/cowrie/definition.json | 81 ++++++++++++++++++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100644 objects/cowrie/definition.json

diff --git a/objects/cowrie/definition.json b/objects/cowrie/definition.json
new file mode 100644
index 0000000..6f8501f
--- /dev/null
+++ b/objects/cowrie/definition.json
@@ -0,0 +1,81 @@
+{
+  "requiredOneOf": [
+    "session"
+  ],
+  "attributes": {
+    "eventid": {
+      "description": "Eventid of the session in the cowrie honeypot",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attribute": "text"
+    },
+    "system": {
+      "description": "System origin in cowrie honeypot",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attribute": "text"
+    },
+    "username": {
+      "description": "Username related to the password(s)",
+      "ui-priority": 1,
+      "misp-attribute": "text"
+    },
+    "passsword": {
+      "description": "Password",
+      "multiple": true,
+      "ui-priority": 1,
+      "misp-attribute": "text"
+    },
+    "session": {
+      "description": "Session id",
+      "ui-priority": 1,
+      "misp-attribute": "text"
+    },
+    "timestamp": {
+      "description": "When the event happened",
+      "ui-priority": 1,
+      "misp-attribute": "datetime",
+      "disable_correlation": true
+    },
+    "message": {
+      "description": "Message of the cowrie honeypot",
+      "ui-priority": 1,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
+    "protocol": {
+      "description": "Protocol used in the cowrie honeypot",
+      "ui-priority": 1,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
+    "sensor": {
+      "description": "Cowrie sensor name",
+      "ui-priority": 1,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
+    "src_ip": {
+      "description": "Source IP address of the session",
+      "ui-priority": 1,
+      "misp-attribute": "ip-src"
+    },
+    "dst_ip": {
+      "description": "Destionation IP address of the session",
+      "ui-priority": 1,
+      "misp-attribute": "ip-dst",
+      "disable_correlation": true
+    },
+    "isError": {
+      "description": "isError",
+      "ui-priority": 1,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    }
+  },
+  "version": 1,
+  "description": "Cowrie honeypot object template",
+  "meta-category": "network",
+  "uuid": "ae085d32-6534-4d52-b3eb-063fccb753e7",
+  "name": "cowrie"
+}