Home > Dionaea, Honeypot, Malware > Starting with Dionaea

Starting with Dionaea

2009/11/09

As my previous post states, my Nepenthes system has been retired. In it’s place I’m building up a Dionaea system. The new features proposed by Dionaea should go a long way to improving on a couple of Nepenthes’ shortcomings, a good comparison of the two systems can be found on the Nepenthes blog (post October 27th). But what really caught my attention was the recent post on November 6th detailing the improved logging capabilites that are going to be built into Dionaea. I intend to cover these features at a later date once I’ve had more time to get used to the new system.

I must admit that I was shocked with the ease of installation and compilation. The instructions on Dionaea’s home page look a bit long winded to me, especially as I’m used to the ease of ‘apt-get’ and past experience with manual compilation of source code always leaves me expecting a headache. This was doubled when I discovered my available hardware is starting to show signs of it’s age, and was unable to successfully complete a fresh install of the latest Ubuntu, resulting in some of my components not quite meeting the written requirements. Some how though I manage to muddle through the compilation instructions without issue, and now have a working Dionaea install.

Getting the system started was also a breeze, one-line command as prescribed in the documentation and the system is live. Unsurprisingly it didn’t take long get my first hits, retrieving my first binary within 40 minutes of first starting the system. As I restarted several times whilst playing with config settings it could be that I missed a compromise that would have shortened this time frame in the real world.

So far I have only made a couple of changes the config, replacing the dev’s email with my own to recieve sandbox reports for collected binary samples (thanks for pointing that out in the mailing lists, probably would have missed it) and enabling the ihandler for p0f to try and take advantage of the system’s included fingerprinting capabilities.

As I’ve always liked statistics from honeypot systems, here is what I’ve got so far:

  • Running approximately 4 hours
  • Logged 20 unique attacks
  • Retrieved 4 unique malware binaries (and received the third party sandbox reports)
  • Generated 10,000+ log entries

Finally, thanks to the dev team for continuing to build and improve systems that I love to use. Couldn’t do halve of what I do without quality systems to work with.

Andrew Waite

Advertisements
Categories: Dionaea, Honeypot, Malware
  1. Yaggi
    2009/11/11 at 09:31

    Hi, im still new on this dionaea package..im done with the installation. How can I make it work like :

    1. where to look for the logs (how can I change the log path /var/log)
    2. How can I make the dionaea start automatically after a restart
    3. I installed SSHD to remotely administer it but the port 22 seems filtered
    4. how can I create 4 IP’s/machines in the installed box so that attackers may think there are more machines on it?

    Im hoping you could help.

  2. Yaggi
    2009/11/11 at 09:32

    I hope you can share your detailed procedure on how you did make it running.

    Im using ubuntu 9.04 (1 NIC) and successfully installed Dionaea.

  3. 2009/11/11 at 10:02

    Hi Yaggi,

    I’ll help where I can:
    1. On my install (following the procedure detailed on the Dionaea website) my logs are found under /opt/dionaea/var/. You should be able to change the logging locations by editing the dionaea.conf file (in my case, /opt/dionaea/etc/dionaea/dionaea.conf)
    2. Automatic starting isn’t something I’ve implemented yet (not a desired feature with my setup) a quick Google search should provide plenty of assistance.
    3. First, check to make sure that nothing is already running on tcp 22 (netstat -antp). Other than that check your host and perimeter firewall configurations
    4. Multiple IPs isn’t something that I’ve implemented yet. Looking through the configs I *think* that if you assign the additional IP addresses as sub interfaces on your main NIC the Dionaea should pick those up on start-up.

    Afraid I haven’t got much else to add for a detailed procedure, I simply followed the instructions and had everything work first time. If you having issues with install best place to look for additional support would likely be the Nepenthes mailing-list.

    Hope this help, happy hunting.

  4. Leon
    2009/11/13 at 07:44

    Hey Andrew,

    This is really a weird coincidence since i am in the midle of migrating from nepenthes to dionaea myself. Really nice to read you experiences. So far my experience and caught malware is great. Although i do get more “supposed” malware that clamav finds okay.
    What are you findings ?

    Cheers,
    Leon

    (i’m following you on twitter b.t.w. 😉

    • 2009/11/13 at 09:00

      Hi Leon,

      glad you’re finding my postings useful, never really know if anyone is actually interested in my mutterings or if I’m just talking to my keyboard 😉

      I also mirror your findings, getting several samples that AV claims are ‘clean’. But as nothing should be communicating with my server as it has no legitimate services then I feel it is usually safe to assume that the sample is still not user friendly. False negatives are unfortunately too common with AV products, especially when only scanning on file signature rather than actual activity as well, I occasionally re-scan my ‘clean’ binaries after a few AV signature updates and find my number of ‘clean’ samples diminishes over time.

      Andrew
      (P.S. not sure if I’m following you back on Twitter, some of the people I’m following occasionally go ‘missing’. Hit me up with you’re Twitter ID and I’ll make sure I’ve still got you listed)

      • 2009/11/13 at 09:08

        Never mind, found your twitter account 😉

  5. Leon
    2009/11/13 at 09:17

    Actually, i think its a great having the opportunity to exchange ideas and experiences. Since dionaea is still kind off rough around the edges 🙂
    Funny though that you mentioned installing dionaea was a breeze. It took me a considerable amount of coffee and screen-starring to get dionaea running.

  6. Yaggi
    2009/11/16 at 07:06

    I hope this helps when starting the Dionaea automatically during start-up

    ===========================
    1.How can I make Dionaea start automatically?

    Depends on the distribution, there are startup scripts for nepenthes
    for some distributions, should be easy to adjust them.

    Putting a script during system boot-up only (Dont run the script when you shutdown or restart. http://lifeuml.com/addingremoving-shell-scripts/ or https://help.ubuntu.com/community/RcLocalHowto

    –create a file in /etc/init.d (test.sh)
    #!/bin/sh
    /opt/dionaea/bin/dionaea -l all,-debug -L ‘*’

    make it executable (sudo chmod +x test.sh)
    test it if working (sudo ./test.sh)
    sudo update-rc.d -f test.sh start 99 2 3 4 5 . // Run at startup (select only this)
    sudo update-rc.d -f test.sh start 1 0 6 . // Run at reboot
    restart or shutdown the machine (during this action, the script should not start because we only choose to run the script during bootup)

    • 2009/11/16 at 09:37

      Hi Yaggi,

      thanks for sharing your findings, will save me some Googling when I try the same, much appreciated.

  7. Yaggi
    2009/11/17 at 05:56

    Another instruction to setup you box with 4 vulnerable IP. (thank to Markus from Nepenthes)

    3.how can I create 4 IP’s/machine in the installed box? (don’t touch /etc/network/interfaces) – Im using ubuntu with 1 NIC only

    If you have 4 ip addresses, thats easy, if you do not have 4 ips, it
    is not possible at all.
    dionaea checks for existing ip addresses at startup, and claims all by
    default, you can change this in the config:

    Directory → /opt/dionaea/etc/dionaea/dionaea.conf

    listen =
    {
    /* basically we have 3 modes
    – getifaddrs – auto
    will get a list of all ips and bind a service to each ip
    – manual – your decision
    addrs has to be provided, and should look like this
    addrs = { eth0 = [“1.1.1.1”, “1.1.1.2”], eth1 = [“2.1.1.1”, “2.1.1.2”] }
    you get the idea …
    for most cases with more than one address
    addrs = { eth0 = [“0.0.0.0”] }
    will do the trick
    if you want to throw in ipv6 support as well …
    addrs = { eth0 = [“::”] }
    note: ipv6 does not work with surfids yet,
    as ipv6 addresses are mapped to ipv4 and surfids fails to retrieve
    the sensor id for ::ffff:1.2.3.4
    */

    mode = “getifaddrs”
    addrs = { eth0 = [“::”] }
    }

    if you have more than 4 addresses, and want dionaea to use 4 it should
    look like this (The first IP is the management IP)

    Issue this command first
    sudo ip addr add 192.168.0.1/24 dev eth0 – non vulnerable
    sudo ip addr add 192.168.0.2/24 dev eth0
    sudo ip addr add 192.168.0.3/24 dev eth0
    sudo ip addr add 192.168.0.4/24 dev eth0

    In the Dionaea.conf

    —–Change the statement

    listen =
    {
    mode = “getifaddrs”
    addrs = { eth0 = [“::”] }
    }

    —-to this statement

    listen =
    {
    mode = “manual”
    addrs = { eth0 = [“192.168.0.1”, “192.168.0.2”, “192.168.0.3”, “192.168.0.4”] }
    }

    replace eth0 and the ip addresses with the correct values, confirm
    using sudo netstat -anpe | grep dionaea after dionaea startup.

    Nmap the the IP’s from another machine, you should see that some windows ports are open.

    You can perform exploitation and look in the logs to see it https://www.honeynet.org/node/488

    Install Openssh so you can manage it remotely (1st IP).

  8. Yaggi
    2009/11/17 at 06:10

    Hi Andrew,

    Do you have any examples how to retrieve a shellcode using libemu on Dionaea?

    Also, do you know how to execute the retry.py script so we can reply the attack?

    • 2009/11/17 at 08:22

      Yaggi,

      I have no experience at the moment with either using libemu or the retry.py scripts (on my ever growing to-do list). However I think Markus has just answered this or a similar question on the Nepenthes mailing list, archive post here.

      Hope this helps

      • nick
        2011/10/18 at 09:50

        It is possible to build bistreams from one of the database you have taken in consideration for building statistic? I m talking about Berlin and Paris db available on ftp://ftp.carnivore.it/projects/dionaea/rawdata/

        I would like to know if those db(s) allow me to reply attacks or not?

        Thanks a lot,
        Nick

      • 2011/10/18 at 10:31

        Hi Nick,

        It’s not something I’ve tried to be honest so can’t say with 100% accuracy, but I would expect that Marcus’ anonymisation may strip out some of the information required to replay the attack on a different system.

        I’d suggest asking the question on the Nepenthes dev mailing list for an official confirmation either way.

      • nick
        2011/10/18 at 14:07

        Andrew Waite :
        Hi Nick,
        It’s not something I’ve tried to be honest so can’t say with 100% accuracy, but I would expect that Marcus’ anonymisation may strip out some of the information required to replay the attack on a different system.
        I’d suggest asking the question on the Nepenthes dev mailing list for an official confirmation either way.

        Thanks for your fast answer
        I will follow your suggestions 🙂
        Nick

  9. Nick
    2009/11/24 at 14:01

    Hi Andrew,

    I started Dionaea smoothly with ubuntu jaunty. no other applications are installed except for Dionaea.. How can I setup the notification? I understand I need to change the defualt email in Dionaea.conf but are there anything else to install like postfix and how must I configure it?

    • 2009/11/24 at 14:28

      Hi Nick,

      only change I made from an email perspective was the Dionaea.conf file, for the submit modules. Dionaea itself doesn’t (unless I’ve missed an update) send email notifications for attacks or submissions against it. The email address provided is solely used to recieve analysis reports from any and all sandbox submission systems you configure, CWSandbox, Anubis, etc. so no need for Postfix or similar.

      If email notifications is something that you would be interested in then you could propose the functionality to Markus via the mailing list, but with the number of hits my Dionaea installation receives everyday this would produce a torrent of spam which likely would just get the delete-key treatment.

      Hope this helps, let me know if you get any interesting results.

  10. Abhishek Shah
    2010/02/01 at 19:36

    Hi Andrew,
    I had installed nepenthes at my home network but was not able to capture any malware. Now I am planning to install Dionaea and see if I can capture anything. My home network is setup in this way. There is modem and wireless router is attached to it. It uses DHCP and I have done “port forwarding” (setup on router to my laptop).
    Is there anything I have not setup or misconfigured on network?(just to be sure) Thanks for help in advance.

    • 2010/02/01 at 19:52

      Abhishek,

      if I have your setup correct you have Nepenthes/Dionaea is running on the laptop, with the modem routing any traffic (or specific ports) from it’s external interface to the IP address of the honeypot service running on the laptop? Assuming my understanding is correct then you should have the setup correct.

      Have you tested your Nepenthes/Dionaea installations locally to remove the network from the equation? Either from a second machine, or the laptop itself, can you communicate with the emulated services? and can the honeypot log this interactions?

      Can you confirm that the port forwarding configuration correct? From an external location will traffic directed to your modem’s external IP address be routed through to your laptop. A simple test to take the honeypot configuration from the equation would be to setup a listening netcat session on your laptop and try to connect from an external location, assuming the connection is successful anything typed on one side of the connection should be echoed to the other. If this does not work then hopefully your modem’s logs should aid in tracking down the issue, although depending on device your mileage may vary.

      Finally depending on your connection, your ISP may be filtering some inbound traffic to your IP address, mostly in an effort to protect ‘normal’ users from the kind of malicious activity monitored by the honeypot. Unfortunately if this is the case then no amount of configuration on your end will resolve the issue. If this is the case then you may be able to get the restrictions removed by contacting the network support team by your provider, but again your mileage may vary.

      Hope this helps, happy honeypotting

  11. Wishper
    2010/07/18 at 13:59

    Hi Andrew,

    How can I test if dionaea works?

    • 2010/07/18 at 14:40

      Hi Wishper,

      depends what you need to test.

      On a simple level I often test connectivity with a netcat or telnet client, point it at an IP/port running Dionaea and connect, you can watch the Dionaea logs to confirmt the connection is successful. Alternatively this post shows testing Dionaea’s smb share capabilities with smbclient, and the latest svn trunk is Metasploitable.

      For more indepth testing (malware download, SQL logging, etc.) I just simply place the installation on a public IP address, you’ll rapidly know if the installation is working 😉

      Hope this helps, shout if you need more.

  12. Wishper
    2010/07/18 at 15:34

    Thank you, Andrew

  13. needhelper
    2011/02/17 at 09:29

    hi andrew,

    i need help with dionaea..when i install dionaea on my desktop
    file /opt/dionaea/etc/dionaea dionaea.conf cannot be found.

  14. haisu
    2012/08/18 at 03:39

    hi,andrew,

    i install dionaea many times ,and the result is same .
    when i run dionaea, the print give the error as :

    import dionaea.sip
    File “/opt/dionaea/lib/dionaea/python/dionaea/sip/__init__.py”, line 48, in
    from dionaea.sip.extras import msg_to_icd, int2bytes, SipConfig, ErrorWithResponse
    File “/opt/dionaea/lib/dionaea/python/dionaea/sip/extras.py”, line 9, in
    import sqlite3
    File “/opt/dionaea/lib/python3.2/sqlite3/__init__.py”, line 23, in
    from sqlite3.dbapi2 import *
    File “/opt/dionaea/lib/python3.2/sqlite3/dbapi2.py”, line 26, in
    from _sqlite3 import *
    ImportError: No module named _sqlite3
    [18082012 11:02:38] python module.c:416: Import failed dionaea.services
    Aborted

    i think the sqlite3 is the reason ?but i install sqlite3 and it worked .also i installed the libsqlite3-dev ,but why like this? can you give me some tips ,thank you very much.

  15. haisu
    2012/08/19 at 03:25

    hi,
    i have resolved the sqlite3 problem. thanks.

    now ,i want to bulid a plain like ore.carnivore.it , what can i do ?

  1. 2009/11/10 at 21:06
  2. 2009/12/17 at 14:54
  3. 2010/01/26 at 19:26
Comments are closed.
%d bloggers like this: