Home > Dionaea, Honeypot > Updating Dionaea

Updating Dionaea

2010/10/16

I’m sure this is basic for most of you, but I seem to keep making the same daft mistakes whilst updating Dionaea, so I’m hoping documenting the issues and corrections will work as a memory aid in the future.

Firstly, I can never remember Git’s equivalent to ‘svn update’, which is:

git pull

Next up is recompiling Dionaea from your updated source directory, this is no different to an initial install as per Markus’ excellent instructions.

I keep forgetting to update my configuration file to include any directives needed for the new shiny new functionality you’re upgrading to get access to. I find diff useful for identifying any new additions, for example

/opt/dionaea/etc/dionaea# diff dionaea.conf dionaea.conf.dist

Assuming there’s no major changes you should only see differences specific to your installation, for example your email address to receive analysis reports, or your VirusTotal api key. If there are any other differences you’ll need to add the new content.

From the experience I’ve had in the past week, if you encounter any unexpected problems after updating Dionaea, make sure your pre-requisites are also upto date. After updating Dionaea last week to gain access to the new integration with VirusTotal’s api my Dionaea sensor started to die randomly. Markus was a great help with troubleshooting (thanks again) and my problems were eventually corrected after it was noted that my libemu installation was outdated; after a quick ‘git pull’ and ‘make’ (again following Markus’ instructions).

As I said, this is probably basic for most of you out there, but as I keep making similar mistakes I plan to refer back to this list of daft issues before bugging anyone for support in future. You never know, it might allow someone else to retain an air of competence before proving otherwise 🙂

— Andrew

Advertisements
Categories: Dionaea, Honeypot
  1. 2010/10/17 at 10:26

    Great work Andrew, I’m sure many people running Dionaea have hit this roadblock just like I did 🙂

  2. Tiago
    2010/11/18 at 12:42

    Hello Andrew, in your opinion what is the best honeypot, Dionaea or Mwcollectd v4?
    What are the main differences?

    • 2010/11/18 at 13:58

      Tiago,

      afraid that I’m not really qualified to comment as I’ve not used mwcollectd. I believe that both were built as successors to Nepenthes, both use (forked) libemu as a base and both are largely similar in functionality. Looking at both releases it appears at first glance that Dionaea is more actively developed and has a larger community of users, when dealing with malware and exploits I think it’s important to remain as upto date with current weaknesses and trends as possible or you could be missing out on the more interesting results.

      I’ve been happy with Dionaea, and have no reason at this time to add a similar tool to my environment. If you try mwcollectd I’d be interested in knowing your thoughts.

      • Tiago
        2010/11/19 at 13:07

        Thank you Andrew, one of the things I noticed was the same level of updates and the community followers of Dionaea.

        I’ll probably opt for Dionaea because there are plenty of “happy” followers.

        If I test mwcollectd v4 I give you feedback.

        By the way, continues the excellent work you have done!

  3. andrew_fan
    2010/12/09 at 13:19

    hi andrew,
    i have provided my email id for submission to Norman but i don’t receive any mails OR dionaea is not sending any mail/file to Norman.
    how to correct this problem.?
    moreover is there any script by using which downloaded Malware binaries can be transferred to other computer also continuously.
    might be question is silly but if you can please answer – whats your approach?

    • 2010/12/09 at 13:45

      First thing I’d check is that the Norman submissions module is enabled in your dionaea.conf. If everything looks right I’d watch your network traffic to see if the submissions are being sent to Norman. If they are then double check your email address settings (& junk folder) and potentially contact the service your submitting to to determine if they are recieving the submission.

      Transferring malware is same as any other file so shouldn’t require anything too different (but I’d be a bit more careful). If you want/need continuous take a look at rsync.

  4. andrew_fan
    2010/12/10 at 04:17

    hi,
    norman analyzer is enabled in default section of ‘submit’. is there any other method

    • 2010/12/10 at 08:58

      What do the Dionaea logs (dionaea.log & dionaea-error.log) say about submissions?

      If Dionaea believes submissions are successful I’d check connectivity and email settings; if not, what do the error logs say?

      From my side it’s not something I’ve had a problem with in the past, so experience debugging this issue is limited. If you’re still having issues I’d suggest throwing it open to the Nepenthes-dev mailing list (where I’ll still pitch in if I can help.)

  5. Tiago
    2010/12/10 at 12:52

    Hello Andrew,

    -Since you think correlating statistically events to dionae worms detection?
    If yes, what events you would like to see correlated?

    -Dionaea allows you to submit binary to sandbox for analysis (eg. CWSandbox) and obtain the metadata of analysis in a format suitable for storage in the sqlite database?

    Best Regards.

  6. Tiago
    2011/01/06 at 18:52

    Hello, I have a machine running Dionaea. I tested it with metasploit particularly with the exploit MS04-11 and MS08_067 and noticed through the execution log Dionaea the attempted attack is detected but no session is created. The worst is that the Dionaea gathers no binary file, send nothing to the virus total or to the norman sandbox. What is it that is escaping me?!

    I have uncommented ihandler virus total and curiously does not work.

  7. 2011/01/12 at 07:27

    dionaea rocks! i have started setting up my dionaea yesterday hopefully that would gather as many attacks. how long do you guys think it takes for dionaea to gather attacks? i’ll be happy with just few. 🙂

  8. 2011/01/12 at 08:29

    Hey Kreatures

    Doesn’t usually take too long to get the attention of a bot, I’d say you’ll usually get something within (at most) 24hrs.

    –Andrew
    P.S. Glad you found the picture of my Dionaea plant useful, if it’s going to be used any chance of some attribution/link-back?

  9. @sam
    2011/02/03 at 10:03

    I cant find the file dionaea.log & dionaea-error.log.

    • 2011/02/03 at 12:03

      Hey Sam,

      if you’ve followed the install instructions on carnivore.it then the files should be in /opt/dionaea/var/log/

  10. 2011/03/10 at 10:35

    [10032011 01:35:30] processor processor.c:346: var/dionaea/bistreams/2011-03-10/ var/dionaea/bistreams/%Y-%m-%d/
    [10032011 01:35:30] dionaea dionaea.c:769: Using 1024 as limit for fds
    [10032011 01:35:30] dionaea dionaea.c:784: Installing signal handlers
    [10032011 01:35:30] dionaea dionaea.c:818: Creating 2 threads in pool

    I have started the test but there is no log file in log folder its empty.Does it means it will be generated when there is some kind of attack. please kindly let me know .

  11. 2011/03/10 at 11:02

    I don’t use variable paths (%Y etc.) so can’t say for certain but seem to remember this was covered on the nepenthes-dev mailing list (sorry, can’t find a link).

    If memory serves variable paths don’t fully work under Dionaea, flip to static paths and it should work (logrotate can then be used to organise log archives.)

    If that doesn’t address the issue then throw it over to the nepenthes-dev mailing list.

  12. Tom
    2011/04/06 at 19:39

    Hi Andrew,
    Can you show me how to implement Virustotal API key into dionaea.conf file? I signed up an account on their website already.

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: