Amun statistics

Amun has been running away quite happily in my lab since initial install. From a statistic perspective my wor has been made really easy as Miguel Cabrerizo has previously taken one of the InfoSanity statistic scripts written for Nepenthes and Dionaea and adapted it to parse Amun’s submission.log files.
Results generated from the script in my environment are below, if you’re wanting to get an overview of submissions from another Amun sensor the script has been uploaded alongside the other InfoSanity resources and is available here.

~$ cat /opt/amun/logs/submissions.log* | ./amun_submission_stats.py
Statistics engine written by Andrew Waite (www.infosanity.co.uk) modified by Miguel Cabrerizo (diatel.wordpress.com)
Number of submissions      : 25
Number of unique samples   : 25
Number of unique source IPs: 18
Origin of the malware:
Ukraine :     1
None :     7
Poland :     2
Romania :     1
United States :     8
Russian Federation :     2
Hungary :     1
Norway :     1
Bulgaria :     2
Vulnerabilities exploited:
MS08067 :    13
DCOM :    12
Most recent submissions:
2010-05-31, 11:37:22, 208.53.183.164, 63.exe, acf5c09d547417fe53c163ec09199cab, MS08067
2010-05-30, 19:23:09, 208.53.183.162, 63.exe, 89b578839f1c39f79d48e5f9e70b5e2f, MS08067
2010-05-28, 10:27:03, 208.53.183.162, 63.exe, f7c4f677218070ab52d422b3c018a4ba, MS08067
2010-05-27, 16:23:14, 195.34.117.180, ssms.exe, 1f8a826b2ae94daa78f6542ad4ef173b, DCOM
2010-05-24, 19:46:35, 208.53.183.163, 63.exe, 53979f1820886f089a75689ed15ecf6e, MS08067

A comment on a recent post asked for a comparison between different honeypots, while this is far from conclusive and only focuses on a single aspect of the technologies one of InfoSanity’s Nepenthes sensors ‘saw’ more attacks in the last 24hrs than my Amun installation did in the almost three weeks shown above. As both are running within the same, small, IP allocation I think I’m safe in assuming that one IP isn’t actually receiving a disproportionate level of interest from the badguys and bots that are out there.
— Andrew Waite

Join the conversation

6 Comments

  1. Thanks for the link to your script – copying and pasting from the pdf on Miguel’s blog was throwing me into the fun world of Python indent errors 🙂
    That’s a shame that it sounds like Amun notices less attacks than Nepenthes. Amun and Nepenthes have been the smoothest installations for me so far, we’ll see if I get similar lower results than Nepethenes in 24 hours with Amun.
    Honeyd has been a nightmare so far 🙂 I think it’s because its design (using unused IP space) doesn’t suit me. Its bug of dropping back to ‘nobody’ permissions despite config settings meant I couldn’t use the Debian-packaged option either.
    Dionaea installed ok but I’ve had permissions issues logging to the sqlite database. A shame since I don’t want to use something deprecated like Nepethenes instead, but I really like it 🙂
    Thanks again.

    1. 😀 I had the same problem from the pdf, eventually gave up and asked Miguel to email me the original (Thanks Miguel). I’ve had similar issues to what you describe in getting vary installations working, biggest problem I have is that I can’t always dedicate large amounts of time to deal with an issue so the problem keeps dragging on, even when it could be something simple and easily fixed.
      Let me know if you get any interesting results, always interested to know if others are getting similar results to my own.
      –Andrew

    2. Hi,
      I’m so sorry that you had problems with the PDF. Thank you Andrew for hosting the file, I’ve updated the download link 🙂

  2. dionaea’s logsqlite does not work with chrooting – as pythons sqlite3 wrapper stores the absoulte path, and reopens the sqlite database for transactions – after chrooting, so the path to the database is incorrect.
    Changing the user is counterintuitive too, as pythons sqlite is special again.
    If you chown the database file ( /opt/dionaea/var/dionaea/logsql.sqlite ) to the user you drop to, and set -rw-r–r– permissions, it should work anyway.
    I just sent you a mail, so we can work it out and update the docs.
    Now, some shameless advertising …
    That said, even if your ipspace is not that contaminated, participating in the collaborative sensor network (logxmpp) currently gives about 5 new/uniq files a day.
    More participants, more files, participating already?

    1. Hi Markus, no problem with the shameless advertising 😉
      I must get time to rebuild and update my Dionaea installation as I really want to try out the logxmpp features and get those extra submissions; usual problem with lack of dedicated time, it’s near the top of my to-do list, but it’s also been there for a while 🙁

      1. Andrew,
        The results i get using the logxmpp network are great. I sure recommend it, when you have some time to spare.

Leave a comment

Your email address will not be published. Required fields are marked *