Dionaea with p0f
Working my way through the compilation instructions from Dionaea whilst building up my latest sensor I was reminded of some optional functionality that I’d always intended to implement, but never found the time. First on my list was p0f (that’s a zero).
From p0f’s homepage:
P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:
- machines that connect to your box (SYN mode),
- machines you connect to (SYN+ACK mode),
- machine you cannot connect to (RST+ mode),
- machines whose communications you can observe.
P0f can also do many other tricks, and can detect or measure the following:
- firewall presence, NAT use (useful for policy enforcement),
- existence of a load balancer setup,
- the distance to the remote system and its uptime,
- other guy’s network hookup (DSL, OC3, avian carriers) and his ISP.
Setting p0f up on the sensor should have been straightforward;
- Install with: apt-get install p0f
- Run p0f as suggested in dionaea.conf: sudo p0f -i any -u root -Q /tmp/p0f.sock -q -l
- And edit dionaea.conf’s ihandler section to enable p0f
This mostly worked, watching the p0f output it was correctly (I’m assuming) providing stats about connecting systems. The problem was that p0f info wasn’t getting saved into Dionaea’s logsqlite database, dionaea-error.log was reporting the below error with each connection:
[04122010 13:48:44] connection connection.c:827-warning: Could not connect un:///tmp/p0f.sock:0 (Permission denied)
Which seemed odd, /tmp/p0f.sock was showing as globally readable. Re-reading the Dionaea compilation instructions I noticed a comment about p0f struggling with IPv6 so has problems it Dionaea is listening on ::, which mine was. Problem solved, I edited dionaea.conf so that Listen mode was set to “manual”, and provided the interface/IP details of my network connection. Only this didn’t solve my problem…
So, why go to the effort? Main purpose behind running honeypot systems (for me) is to get a better idea understanding of what threats are actively targeting systems in the wild. At first glance the information provided by p0f can quickly help evaluate the attacking system; what OS? what connection type? is it local?
With the limited (few hours) of data I’ve already collected heres a sample of the info you can gather:
last 5 connections:
|328||822||Windows||IPv6/IPIP||2000 SP4, XP SP1+||-1||17||0||0|
|327||821||Windows||IPv6/IPIP||2000 SP4, XP SP1+||-1||17||0||0|
|326||820||Windows||2000 SP4, XP SP1+||-1||14||0||0|
|325||819||Windows||2000 SP4, XP SP1+||-1||14||0||0|
Breakdown by OS
select count(p0f_genre) as count, p0f_genre as OS
group by p0f_genre
order by count(p0f_genre) desc;
Umm, so most systems spreading malware are (likely) infected Windows systems. No great surprise there…
|5||GPRS, T1, FreeS/WAN|
|3||PIX, SMC, sometimes wireless|
|2||sometimes DSL (2)|
|2||sometimes DSL (4)|
select count(p0f_link), p0f_link
group by p0f_link
order by count(p0f_link) desc;
Unfortunately the the information provided by p0f isn’t an exact science, and as devices and systems are constantly changing it’s only going to be as accurate as it’s latest signatures/fingerprints. But setup is fairly quick, and the information and insight provided fairly interesting. So why not give it a go?