I’ve been a bit lax in writing this post; around a month ago Miguel Jacq got in contact to let me know about a couple of errors he encountered when running InfoSanity’s mimic-nepstats.py with a small data set. Basically if your log file did not include any submissions, or was for a period shorter than 24hours the script would crash out, not the biggest problem as most will be working with larger data sets but annoying non the less.
Not only did Miguel let me know about the issues, he was also gracious enough to provide a fix, the updated script can be found here. An example of the script in action is below:
cat /opt/dionaea/var/log/dionaea.log| python mimic-nepstats_v1-1.py
Statistics engine written by Andrew Waite – www.infosanity.co.uk
Number of submissions: 84
Number of unique samples: 39
Number of unique source IPs: 65
First sample seen: 2010-06-08 08:25:39.569003
Last sample seen: 2010-06-21 15:24:37.105594
System Uptime: 13 days, 6:58:57.536591
Average daily submissions: 6
Most recent submissions:
2010-06-21 15:24:37.105594, 113.37.56.28, emulate://, 56b8047f0f50238b62fa386ef109174e
2010-06-21 15:18:08.347568, 195.205.5.71, tftp://195.205.5.71/ssms.exe, fd28c5e1c38caa35bf5e1987e6167f4c
2010-06-21 15:17:08.391267, 195.117.74.62, tftp://195.117.74.62/ssms.exe, bb39f29fad85db12d9cf7195da0e1bfe
2010-06-21 06:29:03.565988, 195.160.222.101, tftp://195.160.222.101/ssms.exe, fd28c5e1c38caa35bf5e1987e6167f4c
2010-06-20 23:34:15.967299, 195.242.145.40, http://208.53.183.164/trying.exe, 094e2eae3644691711771699f4947536
— Andrew Waite
i am a newbie working on dionaea. i look at this script but it is pulling information from the sqlite database instead of the log file. so can you please explain the command which you used in the snapshot??
Hi Shoieb,
Afraid I’m not sure what you’re asking. The log file is very verbose, mainly used for debugging and not great for parsing. The recommended method for querying the data generated by Dionaea is to use the SQLite database.
New to this as well. I run the script and I get the following:
Statistics engine written by Andrew Waite – http://www.infosanity.co.uk
Number of submissions: 0
Number of unique samples: 0
Number of unique source IPs: 0
jeremy@ubuntu:~$
I have dionaea running as well as p0f. What am I missing?
Hi Jeremy,
the nepstat-mimic script relies on Dionaea’ sqlite database; things to check first:
Hope this helps, happy honeypotting.
Andrew
I do have SQLite enabled in the configuration file, what paths need to match, the one in the conf and the actual *.sqlite file? If so, then yes.
logsql = {
mode = “sqlite” // so far there is only sqlite
sqlite = {
file = “/var/dionaea/logsql.sqlite”
}
}
When I try to view the log in sqlite (sqlite3 logsql.sqlite > select * from logsql.sqlite ) I get ” Error: unable to open database “logsql.sqlite”: unable to open database file”
I am fairly certain that Dionaea can write to the database file.
I do not believe that Dionaea is seeing any traffic only “warning” messages