CyberLab
REALTIME DATA
SOURCE INFO
ATTACK DENSITY
DATASETS
ABOUT
DEMO MODE

Download raw data by day

Here you can find the collected works of the CyberLab honeynet, unabridged.
The dataset is being updated nightly, for the previous day.

Each file listed below is a daily compilation of all connections starting that day (UTC time), grouped into "attack sessions". Each event in such a session includes all the data reported by the honeypot software (cowrie3, operating in either low-interaction mode, or backed by a pool of docker containers for high interaction). Geolocation data was added on top of that by the logstash software.

To be in compliance with EU regulation, we have obfuscated (pseudonymized) all source and destination IP addresses. The same pseudonym always means the same IP address, either on the source (attacker) or destination (honeypot) side.


Data format SHOW

FieldDescriptionExample
session_id Unique ID of the session 7efa843ba2d1
dst_ip_identifier Obfuscated (pseudonymized) destination public IPv4 address of the honeypot node b1e84f073e89a5a22482d2d112acfacb774d478f49a53951369ce029f6956339
dst_host_identifier Obfuscated (pseudonymized) name of the honeypot node 0b6413ddbb3aebd1e5b4f226a60016af8c6138386a8195d453c7dbda2cbbef38
src_ip_identifier Obfuscated (pseudonymized) IP address of the attacker b1e84f073e89a5a22482d2d112acfacb774d478f49a53951369ce029f6956339
eventid Event id of the session in the cowrie honeypot cowrie.session.connect
timestamp UTC time of the event 2019-11-01T00:00:24.107618Z
message Message of the cowrie honeypot; any public source and IP address mentions are replaced with the pseudonym. Other IPs, including private infrastrcture addresses are left as is. New connection: b1e84f073e89a5a22482d2d112acfacb774d478f49a53951369ce029f6956339:44502 (192.168.144.2:2222) [session: 7efa843ba2d1]
protocol Protocol used in the cowrie honeypot; either ssh or telnet ssh
geolocation_data/postal_code Source IP postal code as (determined by the logstash node) 52100
geolocation_data/continent_code Source IP continent code (as determined by the logstash node) EU
geolocation_data/country_code3 Source IP country code3 (as determined by the logstash node) IT
geolocation_data/region_name Source IP region name (as determined by the logstash node) Province of Arezzo
geolocation_data/latitude Source IP latitude (as determined by the logstash node) 43.4167
geolocation_data/longitude Source IP longitude (as determined by the logstash node) 11.8833
geolocation_data/country_name Source IP full country name (as determined by the logstash node) Italy
geolocation_data/location/ Source IP location object (includes lon and lat), as appended by the logstash node; could potentially differ from the longitude and latitude given above
geolocation_data/location/lat Source IP location latitude, as appended by the logstash node; could potentially differ from the latitude given above 43.4167
geolocation_data/location/lon Source IP location longitude, as appended by the logstash node; could potentially differ from the longitude given above 11.883
geolocation_data/timezone Source IP timezone Europe/Rome
geolocation_data/country_code2 Source IP country code2 IT
geolocation_data/region_code Source IP region code AR
geolocation_data/city_name Source IP city name Arezzo
src_port Source TCP port 44502
sensor Sensor name, which serves to identify our experiment configuration ubuntu-ssh
arch Represents the CPU/OS architecture emulated by cowrie null
duration Session duration in seconds null
ssh_client_version Attacker's SSH client version null
username Username used when attempting to log in; only set at the login attempt at the beginning of session, otherwise null null
password Password used when attempting to log in; only set at the login attempt at the beginning of session, otherwise null hunter2
hasshAlgorithms TBD null
macCS HMAC algorithms supported by the client (SSH MAC supported in the sesssion) ["hmac-sha1", "hmac-md5", "hmac-sha2-256"]
langCS TBD null
compCS TBD null
encCS Encryption algorithms supported by the client ["3des-cbc", "aes256-ctr", "aes256-cbc", "aes192-ctr", "aes192-cbc", "aes128-cbc", "blowfish-cbc", "aes128-ctr", "cast128-cbc"]
hassh TBD null
kexAlgs Key exchange algorithms supported by the client ["diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group-exchange-sha256"]
keyAlgs Public key algorithms supported by the client ["ssh-rsa", "ssh-dss"]
outfile TBD null
destfile TBD null
duplicate TBD null
shasum TBD null
url TBD null
ttylog TBD null
size TBD null
filename TBD null
data TBD null


List of datasets by day HIDE

About CyberLab

CyberLab is a large geographically distributed network of honeypots deployed on more than 50 locations in Europe and USA that continuously monitors cybersecurity attacks and collects large volumes of data about who the attackers are, what they are after, who are the most attractive targets, how long they stay on the attacked nodes and what tools they use, and much much more.

The project is built and maintained by LTFE - Laboratory for Telecommunications, Faculty of Electrical Engineering, University of Ljubljana.

Contact us

USE THE LEFT PANE TO ENABLE DATA SOURCES

NUMBER OF ATTACK SOURCES PER COUNTRY
LAST TERMINAL SESSION REPLAY
TARGET NODES WITH MOST SESSIONS
PROTOCOL STATISTICS
ASNs WITH MOST ATTACK SOURCES
DATACENTER ASNs WITH MOST ATTACK SOURCES
RESIDENTIAL & BUSINESS ASNs WITH MOST ATTACK SOURCES