Cowrie Dashboard: "hassh.keyword" (was it supposed to be 'hash'?) - Error for Cowrie.

EDIT: Checked SHA256 of the ISO - this is correct.

I receive this error in any of the Panels in the Kibana panels for the Cowrie dashboard. All other dashboards don't seem to have this problem. Is it a typo (hassh versus hash?)

cowrie

⚠️ Basic support information (commands are expected to run as `root`)

- What version of the OS are you currently using `lsb_release -a` and `uname -a`?

$lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

- What T-Pot version are you currently using?

T-Pot 22.04.0

- What edition (Standard, Nextgen, etc.) of T-Pot are you running?

Standard? Note that no command was given to provide a framework on which to judge or asses what flavor/edition I'm actually running. I have no clue - I don't recall any setup indication of having to choose.

- What architecture are you running on (i.e. hardware, cloud, VM, etc.)?

VM in KVM/QEMU host, x86_64

- Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`.

By problems, the only one was the network devices failure to start - which was solved by edits to /etc/network/interfaces as indicated in the 'Known Issues'. And by the way, there were no outward signs that things weren't working before I made these edits, and in fact I was able to login to the Cockpit console before making those changes. Afterwards, it seems to work the same. Odd.

- How long has your installation been running?

It was actually lightning quick.

- Did you install upgrades, packages or use the update script?

I did run update.sh.

- Did you modify any scripts or configs? If yes, please attach the changes.

Nope.

- Please provide a screenshot of `glances` and `htop`.

htop2 htop

Attached.

- How much free disk space is available (`df -h`)?

Filesystem      Size  Used Avail Use% Mounted on
udev             16G     0   16G   0% /dev
tmpfs           3.2G  3.9M  3.2G   1% /run /dev/vda2       238G  9.1G  217G   5% /
tmpfs            16G     0   16G   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           3.2G     0  3.2G   0% /run/user/2001

- What is the current container status (`dps.sh`)?

[ ========| System |======== ]
     DATE:  Sun 25 Feb 2024 08:59:40 PM UTC
   UPTIME:   20:59:40 up 51 min,  2 users,  load average: 0.11, 0.37, 0.58
    T-POT:  ACTIVE
BLACKHOLE:  DISABLED

NAME                  STATUS                       PORTS
adbhoney              Up 24 minutes (healthy)   0.0.0.0:5555->5555/tcp
ciscoasa              Up 24 minutes             0.0.0.0:5000->5000/udp, 0.0.0.0:8443->8443/tcp
citrixhoneypot        Up 24 minutes             0.0.0.0:443->443/tcp
conpot_guardian_ast   Up 24 minutes (healthy)   0.0.0.0:10001->10001/tcp
conpot_iec104         Up 24 minutes (healthy)   0.0.0.0:161->161/udp, 0.0.0.0:2404->2404/tcp
conpot_ipmi           Up 24 minutes (healthy)   0.0.0.0:623->623/udp
conpot_kamstrup_382   Up 24 minutes (healthy)   0.0.0.0:1025->1025/tcp, 0.0.0.0:50100->50100/tcp
cowrie                Up 24 minutes             0.0.0.0:22-23->22-23/tcp
ddospot               Up 24 minutes             0.0.0.0:19->19/udp, 0.0.0.0:53->53/udp, 0.0.0.0:123->123/udp, 0.0.0.0:1900->1900/udp
dicompot              Up 24 minutes             0.0.0.0:11112->11112/tcp
dionaea               Up 24 minutes (healthy)   0.0.0.0:20-21->20-21/tcp, 0.0.0.0:42->42/tcp, 0.0.0.0:81->81/tcp, 0.0.0.0:135->135/tcp, 0.0.0.0:445->445/tcp, 0.0.0.0:1433->1433/tcp, 0.0.0.0:1723->1723/tcp, 0.0.0.0:1883->1883/tcp, 0.0.0.0:3306->3306/tcp, 0.0.0.0:27017->27017/tcp, 0.0.0.0:69->69/udp
elasticpot            Up 24 minutes             0.0.0.0:9200->9200/tcp
elasticsearch         Up 24 minutes (healthy)   127.0.0.1:64298->9200/tcp
ewsposter             Up 24 minutes
fatt                  Up 24 minutes
heralding             Up 24 minutes             0.0.0.0:110->110/tcp, 0.0.0.0:143->143/tcp, 0.0.0.0:465->465/tcp, 0.0.0.0:993->993/tcp, 0.0.0.0:995->995/tcp, 0.0.0.0:1080->1080/tcp, 0.0.0.0:5432->5432/tcp, 0.0.0.0:5900->5900/tcp
honeytrap             Up 24 minutes
ipphoney              Up 24 minutes             0.0.0.0:631->631/tcp
kibana                Up 24 minutes (healthy)   127.0.0.1:64296->5601/tcp
logstash              Up 24 minutes (healthy)
mailoney              Up 24 minutes             0.0.0.0:25->25/tcp
map_data              Up 24 minutes
map_redis             Up 24 minutes
map_web               Up 24 minutes             127.0.0.1:64299->64299/tcp
medpot                Up 24 minutes             0.0.0.0:2575->2575/tcp
nginx                 Up 24 minutes
p0f                   Up 24 minutes
redishoneypot         Up 24 minutes             0.0.0.0:6379->6379/tcp
sentrypeer            Up 24 minutes             0.0.0.0:5060->5060/udp
snare                 Up 24 minutes             0.0.0.0:80->80/tcp
spiderfoot            Up 24 minutes (healthy)   127.0.0.1:64303->8080/tcp
suricata              Up 24 minutes
tanner                Up 24 minutes
tanner_api            Up 24 minutes
tanner_phpox          Up 24 minutes
tanner_redis          Up 24 minutes

- What is the status of the T-Pot service (`systemctl status tpot`)?

● tpot.service - tpot
     Loaded: loaded (/etc/systemd/system/tpot.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2024-02-25 20:35:16 UTC; 25min ago
    Process: 18079 ExecStartPre=/opt/tpot/bin/updateip.sh (code=exited, status=0/SUCCESS)
    Process: 18119 ExecStartPre=/bin/bash -c /opt/tpot/bin/clean.sh on (code=exited, status=0/SUCCESS)
    Process: 18243 ExecStartPre=/opt/tpot/bin/tpdclean.sh -y (code=exited, status=0/SUCCESS)
    Process: 18346 ExecStartPre=/bin/bash -c /sbin/ethtool --offload $(/sbin/ip address | grep "^2: " | awk '{ print $2>
    Process: 18352 ExecStartPre=/bin/bash -c /sbin/ethtool -K $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | t>
    Process: 18358 ExecStartPre=/bin/bash -c /sbin/ip link set $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | >
    Process: 18364 ExecStartPre=/opt/tpot/bin/rules.sh /opt/tpot/etc/tpot.yml set (code=exited, status=0/SUCCESS)
    Process: 18439 ExecStartPost=/bin/bash -c /usr/bin/sleep 30 && /usr/sbin/conntrack -D -p udp (code=exited, status=0>
   Main PID: 18438 (docker-compose)
      Tasks: 38 (limit: 38475)
     Memory: 42.6M
        CPU: 16.358s
     CGroup: /system.slice/tpot.service
             └─18438 /usr/bin/python3 /usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color

Feb 25 21:00:45 respectablebirdhouse docker-compose[18438]: ewsposter              |  => Starting Medpot Honeypot Modul.
Feb 25 21:00:45 respectablebirdhouse docker-compose[18438]: ewsposter              |  => Starting Citrix Honeypot Modul.
Feb 25 21:00:45 respectablebirdhouse docker-compose[18438]: ewsposter              |  => Starting Redishoneypot Honeypo>
Feb 25 21:00:45 respectablebirdhouse docker-compose[18438]: ewsposter              |  => Starting Endlessh Honeypot Mod>
Feb 25 21:00:45 respectablebirdhouse docker-compose[18438]: ewsposter              |     -> Mission File! logfile = /da>
Feb 25 21:00:45 respectablebirdhouse docker-compose[18438]: ewsposter              |  => Starting Sentrypeer Honeypot M>
Feb 25 21:00:45 respectablebirdhouse docker-compose[18438]: ewsposter              |     -> Mission File! logfile = /da>
Feb 25 21:00:45 respectablebirdhouse docker-compose[18438]: ewsposter              |  => Starting Log4Pot Honeypot Modu>
Feb 25 21:00:45 respectablebirdhouse docker-compose[18438]: ewsposter              |     -> Mission File! logfile = /da>
Feb 25 21:00:45 respectablebirdhouse docker-compose[18438]: ewsposter              |  => Sleeping for 29 seconds ...

- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`

$ sudo netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name  
tcp        0      0 127.0.0.1:37989         0.0.0.0:*               LISTEN      0          16090      646/containerd    
tcp        0      0 0.0.0.0:64295           0.0.0.0:*               LISTEN      0          16487      662/sshd: /usr/sbin
tcp6       0      0 :::64294                :::*                    LISTEN      0          11806      1/init            
tcp6       0      0 :::64295                :::*                    LISTEN      0          16489      662/sshd: /usr/sbin
udp        0      0 0.0.0.0:68              0.0.0.0:*                           0          16467      576/dhclient

telekom-security / tpotce

Cowrie Dashboard: "hassh.keyword" (was it supposed to be 'hash'?) - Error for Cowrie. #1477

⚠️ Basic support information (commands are expected to run as `root`)

- What version of the OS are you currently using `lsb_release -a` and `uname -a`?

- What T-Pot version are you currently using?

- What edition (Standard, Nextgen, etc.) of T-Pot are you running?

- What architecture are you running on (i.e. hardware, cloud, VM, etc.)?

- Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`.

- How long has your installation been running?

- Did you install upgrades, packages or use the update script?

- Did you modify any scripts or configs? If yes, please attach the changes.

- Please provide a screenshot of `glances` and `htop`.

- How much free disk space is available (`df -h`)?

- What is the current container status (`dps.sh`)?

- What is the status of the T-Pot service (`systemctl status tpot`)?

- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`

- If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries

telekom-security / tpotce

Cowrie Dashboard: "hassh.keyword" (was it supposed to be 'hash'?) - Error for Cowrie. #1477

⚠️ Basic support information (commands are expected to run as root)

- What version of the OS are you currently using lsb_release -a and uname -a?

- What T-Pot version are you currently using?

- What edition (Standard, Nextgen, etc.) of T-Pot are you running?

- What architecture are you running on (i.e. hardware, cloud, VM, etc.)?

- Did you have any problems during the install? If yes, please attach /install.log /install.err.

- How long has your installation been running?

- Did you install upgrades, packages or use the update script?

- Did you modify any scripts or configs? If yes, please attach the changes.

- Please provide a screenshot of glances and htop.

- How much free disk space is available (df -h)?

- What is the current container status (dps.sh)?

- What is the status of the T-Pot service (systemctl status tpot)?

- What ports are being occupied? Stop T-Pot systemctl stop tpot and run netstat -tulpen

- If a single container shows as DOWN you can run docker logs <container-name> for the latest log entries

⚠️ Basic support information (commands are expected to run as `root`)

- What version of the OS are you currently using `lsb_release -a` and `uname -a`?

- Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`.

- Please provide a screenshot of `glances` and `htop`.

- How much free disk space is available (`df -h`)?

- What is the current container status (`dps.sh`)?

- What is the status of the T-Pot service (`systemctl status tpot`)?

- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`

- If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries