Home > Dionaea, Honeypot, Tool-Kit > gnuplotsql.py

gnuplotsql.py

2010/10/01

Development of new features for Dionaea has been fairly impressive of late, and I’ve been lax in keeping up to date. When Markus asked if I’d tested the graph utility that he created and wrote about here, it served as a kick to stop putting off some of the jobs I’ve got on the growing to-do list.

I won’t go into too much detail about running the script as Markus has already done a better job than I could. However I will point out that if you run your Dionaea installation on Debian stable, then your out of luck; the standard packages for sqlite are too old to take the script. Best advice is to copy your logsql.sqlite database to a Ubuntu machine and work from there (oh, and in case you didn’t guess from the script name, make sure you’ve actually installed gnuplot…).

A powerful machine is recommended, the only Ubuntu system I had to hand whilst testing was my AA1 netbook, which took 85 minutes to crunch through the script and my database.

I have immediately found the graphs produced useful as they’ve highlighted a couple of obvious spikes (see below) in activity that I would have (and did) miss if solely relying on log files and databases. This really shows the power and importance of visualising security and log information.

dionaea-overview

dionaea-overview - from gnuplotsql.py

If you’re interested the output for the InfoSanity’s installation is now online here. I’m looking to expand the statistics from the InfoSanity honeypot environment that are publicly available, this makes a nice start. As always, big thanks to Markus and carnivore.it team for the effort.

— Andrew Waite

Advertisements
Categories: Dionaea, Honeypot, Tool-Kit
  1. Markus
    2010/10/01 at 19:22

    http://www.infosanity.co.uk/stats/dionaea/2010/08/index.php#overview_smbd
    This one is interesting.
    Basically way more malware downloads than accepted connections in August 2010.
    Using the sqlite db you can figure out which connection caused this and I’d be glad if you could hand me the bistream of this connection.

    • 2010/10/02 at 13:41

      Ask and ye shall receive, should be in your inbox.

    • shahrooz
      2013/11/12 at 17:35

      Dear Markus

      I faced a wired problem, My Dionaea is working correctly over VPS now and it’s collecting the attack information in the log files, and Sandboxes are informing me about binary attacks, but my logsql.sqlite file is almost empty, some important tables such as “Connection” table is completely empty, but “dcerpcserviceops” table have some data.

      Have you faced a problem like this, or do you have any experience about this issue.

      Regards,
      Shahrooz

  2. sai
    2011/02/01 at 12:25

    can you give me detailed explanation on how to analyze the gnuplot sql graph please

    • 2011/02/03 at 08:51

      Sai,

      it’s a graph; time along the bottom, higher bar=more hits, legend explains what each colour represents

  3. sai
    2011/02/10 at 07:40

    how can i contact legend.please help me

  4. sai
    2011/02/14 at 05:44

    actually what i meant is can u explain me what is a offer,download and uniq from the legend please

  5. Ivan Riboldi
    2013/02/06 at 12:44

    What should I do to generate some graphics? I installed dionaea end it’s working well. I exported my logsql.sqlite to another computer to work and don´t have any problem, but I can’t create this graphics. Can you help me?

    • 2013/02/06 at 12:46

      Only additional library that you may need to install is for gnuplot, but this may/will be distro specific.

      • Ivan Riboldi
        2013/02/06 at 15:11

        I installed gnuplot in my ubuntu 11.04, but when try to execute this comand gnuplot home/usr/riboldi/Downloads/logsql.sqlite

        the system returns this error mensage

        root@redes15-Digitron:~# gnuplot /home/usr/riboldi/Downloads/logsql.sqlite

        SQLite format 3
        ^
        “/home/usr/riboldi/Downloads/logsql.sqlite”, line 1: invalid command

      • 2013/02/07 at 10:12

        Looks like you’re just calling gnuplot direct, not the gnuplotsql.py script. Assuming the script is in your current directory, command should be:
        #./gnuplotsql.py /path/to/logsql.sqlite

    • shahrooz
      2013/11/12 at 17:37

      Hi Dear Ivan

      I faced a wired problem, My Dionaea is working correctly over VPS now and it’s collecting the attack information in the log files, and Sandboxes are informing me about binary attacks, but my logsql.sqlite file is almost empty, some important tables such as “Connection” table is completely empty, but “dcerpcserviceops” table have some data.

      Have you faced a problem like this, or do you have any experience about this issue.

      Regards,
      Shahrooz

  6. Ivan Riboldi
    2013/02/08 at 23:51

    When I try this command the system give this answer: -bash: ./gnuplotsql.py: file or directory not found.

    I made my dionaea instalation through your how-to (http://andrewmichaelsmith.com/2012/02/quick-install-of-dionaea-on-ubuntu/). Should I install anything more?

    Thanks,

    • 2013/02/09 at 10:20

      Few points:
      Those install instructions aren’t mine; whilst repository package installs can be easier, Dionaea is actively developed. I’d always recommend installing from source, official documentation is very comprehensive.

      From the error, you’re either not in the same directory as gnuplotsql.py as I’d assumed (cd to right directory) or the script doesn’t have execute permissions (chmod +x gnuplotsql.py).

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: