BruteForce Lab's Blog

Hello readers and honeypot enthusiasts. As I was writing a couple of articles on basic malware analysis, I noticed today that a new visualization tool was released for Dionaea malware honeypot! In fact I had in mind to develop something along the lines of Kippo-Graph for Dioanea as well, so I am very happy to have stumble upon it (mostly by accident).

The tool is called DionaeaFR and I’ve found it really helpful in the analysis phase of a honeypot’s activity. It provides a general overview of the malicious connections but it can also zoom in on individual attacks. The fact that’s an aesthetically pleasing utility is also a big plus on my book. The only downside I’ve found is that it couldn’t process a rather large database I had (around 500mb, which btw is normal for Dionaea). The webserver it deploys was being killed after a while, but this could be due to quite low VPS specs.

DionaeaFR is written in Python, uses the Django framework and a number of other libraries, mostly client-side JS. It is maintained by Ruben Espadas. Let me guide you through its installation procedure. It is presumed that you already have Dionaea installed, using its installation guide.

1) Install pip (Python package manager) and python-netaddr package:

apt-get install python-pip python-netaddr

2) Continue with the prerequisites using pip for automated installation:

pip install Django
pip install pygeoip
pip install django-pagination
pip install django-tables2
pip install django-compressor
pip install django-htmlmin

3) Get and install django-tables2-simplefilter manually:

cd /opt/
wget https://github.com/benjiec/django-tables2-simplefilter/archive/master.zip -O django-tables2-simplefilter.zip
unzip django-tables2-simplefilter.zip
mv django-tables2-simplefilter-master/ django-tables2-simplefilter/
cd django-tables2-simplefilter/
python setup.py install

4) Download and install PySubnetTree:

cd /opt/
git clone https://github.com/bro/pysubnettree.git
cd pysubnettree/
python setup.py install

5) Compile and install Node.js from sources:

cd /opt/
wget http://nodejs.org/dist/v0.8.16/node-v0.8.16.tar.gz
tar xzvf node-v0.8.16.tar.gz
cd node-v0.8.16
./configure
make
make install

6) Install LESS using npm (Node.js package manager):

npm install -g less

7) Download DionaeaFR itself:

cd /opt/
wget https://github.com/RootingPuntoEs/DionaeaFR/archive/master.zip -O DionaeaFR.zip
unzip DionaeaFR.zip
mv DionaeaFR-master/ DionaeaFR

8) Get Maxmind’s GeoIP and GeoLite databases for DionaeaFR:

cd /opt/
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
gunzip GeoLiteCity.dat.gz
gunzip GeoIP.dat.gz
mv GeoIP.dat DionaeaFR/DionaeaFR/static
mv GeoLiteCity.dat DionaeaFR/DionaeaFR/static

9) (optional) Edit DionaeaFR’s settings file located at /opt/DionaeaFR/DionaeaFR/settings.py. There you might want to change line 17 that points to Dionaea’s SQLite db. If you have followed the official installation guide for Dionaea this is already correct.

Update July 2014: Step 9 is no longer optional. You have to also change the “STATIC_ROOT” variable inside settings.py to “<DionaeaFR’s folder>/static/”.

10) We are ready to start the webserver:

cd /opt/DionaeaFR/
python manage.py collectstatic #type yes when asked
python manage.py runserver 0.0.0.0:8000

The interface is now accessible through: http://SERVER-REMOTE-IP:8000
Let’s take a closer look to a small dataset created after four hours on an low-end VPS…