Cowrie Honeypot Instrument

Cowrie Instrument integrates Cowrie honeypot into SensorFleet platform. Cowrie honeypot is a medium interaction SSH/Telnet honeypot which logs shell interaction and brute force login attempts from attacker.

The Instrument will send events for user interaction with the honeypot. This allows to easily integrate honeypot activity into same security monitoring with other Instruments running on SensorFleet platform. Running honeypot within SensorFleet Instrument adds a layer of protection as the honeypot process is running inside isolated container.

This Instrument needs active network access to run the honeypot, the network access can be either dedicated physical interface or network access provided by internal bridge interface.


HTTP API provides endpoint for downloading files downloaded/uploaded into the honeypot by attacker.


Developer SensorFleet Oy (Open Source integration)
Categories Attack Detection, Honeypot
Network access type Active
Required interfaces
  • Network access to the honeypot
Dependencies None
Data retention Cowrie instrument stores logs and artifacts downloaded/uploaded to it up the configured retention period
Management UI Yes