ACCORDING to Internet Storm Center, a review of about three years of data from six Cowrie telnet/SSH honeypots was conducted to illustrate session diversity and fingerprinting risk. The data timeframe runs from 13 April 2022 to 21 March 2026, covering 1,206,566 sessions in total. Most sessions contain around 20 commands and last about 20 seconds, though some sessions have exceeded 25,000 commands in a single run.
The analysis also highlights that the last commands before disconnection often include attempts to alter passwords or create executables, with a notable example showing an ELF file named anthrax being constructed byte by byte. A limited Ubuntu VM comparison with Cowrie outputs demonstrates how honeypot responses can differ from real systems, suggesting ways to refine honeypot configurations and metrics such as the number of commands per session to uncover interesting activity.