Starting with Amun

No single technology can do or handle every situation; the same holds true with honeypot sensors which is why I’m always interested in finding new systems to add to my environment. I’d had Amun on my list of potentials for a while, but after reading a short blog post by Miguel Cabrerizo that suggested install and setup was relatively quick and painless, it got moved up the to-do list.
As suggested the install was quick and easy, with no real problems. Since being installed the system has done what it says on the tin, emulating vulnerabilities and logging interaction with attacking sources. The sensor has been active for around 5 days and has collected 14 unique malware samples to date. Whilst not immediately being indicative of any comparison, three of these samples have not also been ensnared by Nepenthes or Dionaea sensors running within the same IP space.
The Amun log directory shows some interesting information, with logging being split between several different files. From initial results there is some interesting information collected by the system. One aspect of the logging that I’m unsure if I like is that Amun rotates it’s log files on a daily basis, so far this is resulting in my log directory getting cluttered with rotated files. For the curious available log files are:

  • amun_request_handler.log
  • amun_server.log
  • download.log
  • exploits.log
  • logging.log
  • shellcode_manager.log
  • shellemulator.log
  • submissions.log
  • successfull_downloads.log
  • unknown_downloads.log
  • vulnerabilities.log

Going forward there are a number of installation and configurations options available from Amun that I intend to experiment with; high up this list is the ability to log to a MySQL database, I’m hoping that this will provide both a convenient and powerful way to search and analyse the information collected by the sensor. In the meantime Miguel has extended one of InfoSanity’s submission_stats to gather similar statistics from Amun sensors, Miguel’s work is available here.
— Andrew Waite

amun01:/opt/amun# ls -l malware/md5sum/
total 2512
-rw-r–r– 1 root root 155648 2010-05-13 10:53 0cc3c16497214997a9aca72e387c9d9b.bin
-rw-r–r– 1 root root 444416 2010-05-12 15:43 146d61fca77d748f5a5ecff53afd30e4.bin
-rw-r–r– 1 root root 158720 2010-05-11 07:43 14a09a48ad23fe0ea5a180bee8cb750a.bin
-rw-r–r– 1 root root 159744 2010-05-11 00:29 1d419d615dbe5a238bbaa569b3829a23.bin
-rw-r–r– 1 root root 153600 2010-05-15 13:41 53098aa3e420a1be0a5e6a992dc30f3b.bin
-rw-r–r– 1 root root 176128 2010-05-10 23:35 5a951d625eb10b900eb7001892edfa77.bin
-rw-r–r– 1 root root 159744 2010-05-13 19:16 6366b14ed66bf79d6ece8ed8cb116838.bin
-rw-r–r– 1 root root 153600 2010-05-12 13:36 98eb0fdadf8a403c013a8b1882ec986d.bin
-rw-r–r– 1 root root 172032 2010-05-13 06:22 9b1bec8e5fbc9696c60422a031147d07.bin
-rw-r–r– 1 root root 159744 2010-05-13 19:16 a7b197e90b2c5d63b19dfb4797ef7710.bin
-rw-r–r– 1 root root 147456 2010-05-14 07:04 b407982b9eea8c8af3ff4f52ee71c44a.bin
-rw-r–r– 1 root root 147456 2010-05-11 07:09 b786ad96a1dfb330e05595e4657d8a61.bin
-rw-r–r– 1 root root 160768 2010-05-12 14:46 bb39f29fad85db12d9cf7195da0e1bfe.bin
-rw-r–r– 1 root root 152576 2010-05-11 00:00 fd28c5e1c38caa35bf5e1987e6167f4c.bin

Join the conversation

8 Comments

  1. Interesting!
    If you find the time, it’d be interesting to hear your thoughts on a round-up of Amun, Honeyd, Nepethenes etc (I’m looking at all three at the moment and curious as to even a table-like visual of what features each offer/don’t offer )
    I’m just a recent reader of your blog and enjoying your articles. Great infosec source 🙂

    1. Thanks for taking the time to comment, always glad to find that someone is actually finding my ramblings useful 😉
      I’d thought of doing a comparison and/or bake-off between the different honeypots I use for a while, but I haven’t been able to come up with good set of metrics that doesn’t give bias to one system over an other. The one thing that I’ve discovered in my (still short) time working with different honeypots is that each has it’s own place and the real benefit comes from running the systems side by side. Ultimately the ‘best’ technology depends on your goals, if you want general attack information I’d suggest that you’d struggle to beat honeyd. If you’re more interested in malware then a combination of Dionaea and Amun would be the way I’d go.
      Do like the idea though, will need to re-think my approach and see if I can come up with anything interesting, watch this space 😉
      –Andrew

  2. Hi,
    I was wondering if running Dionaea and Amun can be done on one machine with one IP? I know that there is some issue’s with running Nepenthes and Dionaea one one as they listen on the same ports, but I was wondering if installing Amun alongside my current dionaea installs would yield better results?

    1. It is possible, but you’ll hit the same problems as Dionaea/Nepenthes if they’re configured to bind to the same ip/port combination. You won’t be able to get both to listen on the same IP/port combination however.
      If you’re wanting to run both on the same host I’d recommend configuring each to bind to different loopback IP addresses, then forward traffic from your one public ip address via firewall (perimeter/host), depending on which honeypot you want to handle traffic for which port. That way you can change between the two systems using the single firewall configuration rather than reconfiguring each ‘pot.
      Hope this helps.

Leave a comment

Leave a Reply to Leon Cancel reply

Your email address will not be published. Required fields are marked *