Amun statistics
Amun has been running away quite happily in my lab since initial install. From a statistic perspective my wor has been made really easy as Miguel Cabrerizo has previously taken one of the InfoSanity statistic scripts written for Nepenthes and Dionaea and adapted it to parse Amun’s submission.log files.
Results generated from the script in my environment are below, if you’re wanting to get an overview of submissions from another Amun sensor the script has been uploaded alongside the other InfoSanity resources and is available here.
~$ cat /opt/amun/logs/submissions.log* | ./amun_submission_stats.py
Statistics engine written by Andrew Waite (www.infosanity.co.uk) modified by Miguel Cabrerizo (diatel.wordpress.com)
Number of submissions : 25
Number of unique samples : 25
Number of unique source IPs: 18Origin of the malware:
Ukraine : 1
None : 7
Poland : 2
Romania : 1
United States : 8
Russian Federation : 2
Hungary : 1
Norway : 1
Bulgaria : 2Vulnerabilities exploited:
MS08067 : 13
DCOM : 12Most recent submissions:
2010-05-31, 11:37:22, 208.53.183.164, 63.exe, acf5c09d547417fe53c163ec09199cab, MS08067
2010-05-30, 19:23:09, 208.53.183.162, 63.exe, 89b578839f1c39f79d48e5f9e70b5e2f, MS08067
2010-05-28, 10:27:03, 208.53.183.162, 63.exe, f7c4f677218070ab52d422b3c018a4ba, MS08067
2010-05-27, 16:23:14, 195.34.117.180, ssms.exe, 1f8a826b2ae94daa78f6542ad4ef173b, DCOM
2010-05-24, 19:46:35, 208.53.183.163, 63.exe, 53979f1820886f089a75689ed15ecf6e, MS08067
A comment on a recent post asked for a comparison between different honeypots, while this is far from conclusive and only focuses on a single aspect of the technologies one of InfoSanity’s Nepenthes sensors ‘saw’ more attacks in the last 24hrs than my Amun installation did in the almost three weeks shown above. As both are running within the same, small, IP allocation I think I’m safe in assuming that one IP isn’t actually receiving a disproportionate level of interest from the badguys and bots that are out there.
– Andrew Waite
Thanks for the link to your script – copying and pasting from the pdf on Miguel’s blog was throwing me into the fun world of Python indent errors
That’s a shame that it sounds like Amun notices less attacks than Nepenthes. Amun and Nepenthes have been the smoothest installations for me so far, we’ll see if I get similar lower results than Nepethenes in 24 hours with Amun.
Honeyd has been a nightmare so far
I think it’s because its design (using unused IP space) doesn’t suit me. Its bug of dropping back to ‘nobody’ permissions despite config settings meant I couldn’t use the Debian-packaged option either.
Dionaea installed ok but I’ve had permissions issues logging to the sqlite database. A shame since I don’t want to use something deprecated like Nepethenes instead, but I really like it
Thanks again.
Let me know if you get any interesting results, always interested to know if others are getting similar results to my own.
–Andrew
Hi,
I’m so sorry that you had problems with the PDF. Thank you Andrew for hosting the file, I’ve updated the download link
dionaea’s logsqlite does not work with chrooting – as pythons sqlite3 wrapper stores the absoulte path, and reopens the sqlite database for transactions – after chrooting, so the path to the database is incorrect.
Changing the user is counterintuitive too, as pythons sqlite is special again.
If you chown the database file ( /opt/dionaea/var/dionaea/logsql.sqlite ) to the user you drop to, and set -rw-r–r– permissions, it should work anyway.
I just sent you a mail, so we can work it out and update the docs.
Now, some shameless advertising …
That said, even if your ipspace is not that contaminated, participating in the collaborative sensor network (logxmpp) currently gives about 5 new/uniq files a day.
More participants, more files, participating already?
Hi Markus, no problem with the shameless advertising
I must get time to rebuild and update my Dionaea installation as I really want to try out the logxmpp features and get those extra submissions; usual problem with lack of dedicated time, it’s near the top of my to-do list, but it’s also been there for a while
Andrew,
The results i get using the logxmpp network are great. I sure recommend it, when you have some time to spare.