« Kippo-Graph 0.6.2 released.

Kippo-Graph note »

Jan 05 2012

Starting with Dionaea malware honeypot

Categories:

Honeypots, Malware

by Ion

Since Kippo is doing fine and there are some other interesting things out there apart from SSH dictionary attacks, I decided to run Dionaea as well in order to get a better understanding of malware distribution.

So, I found myself on the official Dionaea website ready to proceed. The amount of information there and the manual compilations made me think that I will surely run into much trouble but hopefully this was not the case. If you follow the instructions (and you deploy the honeypot on a Ubuntu machine) you will have no problem with the installation. I still encountered some problems later though.

My first and only trouble during install was with libnl which doesn’t seem to be located at git.kernel.org anymore as written on the guide but rather at: git://git.infradead.org/users/tgr/libnl.git. Another thing to note is that Ubuntu doesn’t need udns, so don’t install it and remove the two related parameters when running ./configure for Dionaea itself. Other than that installation was fine.

I started Dionaea with:

./dionaea -D -r /opt/dionaea -w /opt/dionaea -p /opt/dionaea/var/dionaea.pid -l all,-debug -L '*'

-D makes it run as a daemon in the background. Dionaea has a rather detailed configuration file and there are a lot of options to play with. I left the default values and just changed the logging function to automatically exclude debugging information (same with the -l all,-debug parameter above). I still need to make use of the privilege dropping feature for better security, if you have any tips on that let me know.

The honeypot was running and in only a matter of minutes I got my first connections! Dionaea keeps text-based logs but saves the data in a SQLite database as well (thank god). Roughly all of them were on port 445. One thing I noticed though was that connections were being dropped constantly by my system. Thanks to the #Nepenthes IRC channel where I had to resort, I realised that my system was not actually recheable and I had to change the listen configuration to manual mode and choose my “public” network interface as Dionaea was binding only on loopback addresses. Something like addrs = { eth0 = [“0.0.0.0”] } did the trick.

As always, I took a look at the related Infosanity’s posts for various updates and tips. I saw that Andrew has already written a script to generate some statistics. Here is what I got after ~4 hours:

python mimic-nepstats.py
Statistics engine written by Andrew Waite - www.infosanity.co.uk
Number of submissions: 20
Number of unique samples: 18
Number of unique source IPs: 18
First sample seen: 2012-01-04 22:50:12.268572
Last sample seen: 2012-01-05 02:51:15.270853
System Uptime: 4:01:03.002281
Most recent submissions:
2012-01-05 02:51:15.270853, 89.165.187.45, http://89.165.187.45:1115/entn, d987a9af709bfd188071aa3f5e027aac
2012-01-05 02:40:36.996795, 38.106.166.115, http://38.106.166.115:8927/tazhj, 628209663f62c35b996ca17850ed7862
2012-01-05 02:29:58.125629, 49.145.98.95, http://49.145.98.95:3250/rayflgug, a61bb611ab77e5bb2d3cab672392a928
2012-01-05 02:27:21.690987, 82.77.246.133, http://82.77.246.133:7825/mktyd, 1892721678e9b975c66a8cbb6ed1f340
2012-01-05 02:21:40.608644, 67.212.82.253, http://67.212.82.253:6604/ubophe, e1855fbe6cf64738bffb9dc195e38ed1

I don’t know what else to expect at this stage. For time being I will let the system run and collect some interesting (hopefully) data. I haven’t studied everything related to Dionaea yet, and I’m sure there are a lot of useful configurations and add-ons since it’s being actively developed as I’m told. If you know something that I can add to Dionaea or teach me something new about it let me know, I would appreciate it alot.

Related posts:

  1. Vagrant configuration for Dionaea malware honeypot
  2. Some Dionaea statistics
  3. Visualizing Dionaea’s results with DionaeaFR
  4. Dionaea Tested Successfully on https://Comprogear.com/Compression-Stockings-With-Zipper/
  5. How to install Thug Python client honeypot
  6. Dionaea-Vagrant demo

Tags: Dionaea

  • http://Lvdeijk.wordpress.com Leon van der eijk

    ion,

    Go to virustotal and create an account there for free. This will generate a private VT API just for your account. Adding this API key in the VT section in dionaea.conf gives you the opertunity to automatically upload malware to VT for analysis. Completely free and fully automated. And you are doing the AV community a great favor.
    Another fun feature is automatic upload to Anubis site for malware behavior analisys. That too can be found in the ihandler section.
    You sure are on a roll mate, great stuff !

    • http://bruteforce.gr Ion

      Thanks Leon, I will check both of them out today and report back.

    • shahrooz

      Hi Leon van der eijk

      There are some websites that can show malware attacks in the world map!

      Do you know how to use them? I implemented Dionaea and I want to use those kind of sandboxes!

    • Tiến Nguyễn

      Hi Leon van der eijk ,

      How to combine this dionaea malware honeypot with my cuckoo sandbox ?? And test with malware file .exe.?

  • Pingback: Securing a server with Artillery » BruteForce Lab's Blog()

  • haisu

    hi ,thanks for your tips abuout “libnl which doesn’t seem to be located at git.kernel.org “,i found this problem too,but id cant resolve it. now ,i know it.

    i have 2 questions about dionaea. 1) my ubuntu is 11.04,and the default python is 2.7. in fact ,there is two python in my systme accord to instructions. gunplosql is depend python3.2, question here ?

    2) do you try the submit section ,or use the XMPP ,or wwwhoney ,i want to learn from you about these.

    thanks ,i am a china user, not good at englis ,sorry :)

    • http://bruteforce.gr Ion

      Hello Haisu. No problem, I understood what you are saying :)

      1) Yes, Dionaea’s scripts depend on Python 3.2 but that shouldn’t be a problem. If you follow the compiling & installations instructions from http://dionaea.carnivore.it/#compiling, the new version of Python will be included in Dionaea’s directory, specifically inside dionaea/bin. So, you can run the gnuplot script using for example:

      cd /opt/dionaea/bin/
./python3.2 gnuplotsql -d /opt/dionaea/var/dionaea/logsql.sqlite -p smbd

      without using your system’s default version. Otherwise you can install Python 3.x from the repositories but as I explained it is not needed.

      2) No sorry, I haven’t tried any of those features.

  • George

    I read your blog and it’s very interesting.

    I will install Dionaea on Ubuntu 12.04. I have questions about “python mimic-nepstats.py”.

    How do I use “python mimic-nepstats.py”? First I download it? Then I run it? What directory I keep it?

    Regards,
    George

    • http://bruteforce.gr Ion

      Hello George, thanks for your interest :)

      You can download the script from this link: http://www.infosanity.co.uk/resources/scripts/dionaea/mimic-nepstats.py It doesn’t matter where you save it.

      Then, if you followed the default Dionaea installation instructions you can just run it with: 

      chmod 775 mimic-nepstats.py
./mimic-nepstats.py

      and it will display the results.

      Otherwise, if you have installed Dionaea in a directory other than ‘/opt/dionaea/’, you will have to edit the script and change lines 1 and 24 so they point to the correct locations.

      Regards.

      • George

        Hi Ion,

        Thank you very much. I will inform you about results.

        Regards,
        George

  • George

    Hi Ion,

    I just installed Dionaea on Ubuntu 12.04, successfully. I have two comments regarding the installation process “http://dionaea.carnivore.it/”.

    1) I don’t could use the git. For example, when I tried the “git clone git://git.carnivore.it/libemu.git libemu” would not let me install, can not find the path. I replaced the “git” with “http” as follows: “git clone http://git.carnivore.it/libemu.git libemu”, and I could continue with the installation.

    2) The link you provided of libnl “git://git.infradead.org/users/tgr/libnl.git” did not work, I replaced it with this “https://github.com/tgraf/libnl.git”.

    I’ll wait for the capture of malware. 😉

    I have a question, What did you configure in dionaea.conf?

    Regards,
    George.

    • http://bruteforce.gr Ion

      Hello again George.

      I don’t remember much but here are some tips: I replaced the email in the submit configuration with my own in order to get the results from the malware submission engines. I have also changed the listen configuration (as described in my post above) because it was not working by default. Next, I had entered a VirusTotal API key (you can create one at their website) in the related section and finally, be sure to delete the comments in the ihandlers section, most importantly in front of logsql (plus in front of virustotal and/or p0f if you will use those).

      Let me know how it goes.

      Regards.

  • Mara

    I faced this problem during the installation of dionaea…
    After the execution of last step… “./configure —-with….with….with….—-” I get…
    checking if all required dependencies are installed properly… configure: error: no - better read the documentation
    and when I press “sudo make” I get..
    make: *** No targets specified and no makefile found. Stop.
    Any idea why this is happening?? Should I begin the whole installation process once again?? (:-O nightmare!!!!)

    Thanks a lot!

    • http://bruteforce.gr Ion

      Geia sou Mara :)

      Aparently you made some mistakes either when installing from source one of the prerequisites, or while typing the ‘configure’ command (for example if you install Dionaea on Ubuntu you don’t need the udns component and you don’t have to input the two related lines). The ‘make’ command fails because ‘configure’ fails. If you fix the latter, it will work.

      My suggestion is that you do a ‘sudo rm -rf /opt/dionaea/’ to delete everything related to it and start from the beginning. Also notice that some things might not work if you copy-paste directly from the installation guide, for example the (optional) libnl component is no longer located at kernel.org (see my post above).

      * BTW, there is also this guide: http://andrewmichaelsmith.com/2012/02/quick-install-of-dionaea-on-ubuntu/ that describes how to install Dionaea using a PPA repository which is a pretty easy way and you don’t have to manually compile and install all of the above, but I haven’t tried it myself.

      Regards.

  • George

    Hi Ion,

    I downloaded the script “mimic-nepstats.py”. I saved it on Desktop.

    When I run:

    chmod 775 mimic-nepstats.py
    ./mimic-nepstats.py

    Displays the following:

    bash: ./mimic-nepstats.py: /opt/dionaea/bin/python3^M: intérprete erróneo: No existe el archivo o el directorio

    Do you know why this happens?

    I have reviewed the “/opt/dionaea/bin” and there are some files, including: “python3”, “python3.2”, “python3.2m”.

    Regards,
    George

    • http://bruteforce.gr Ion

      Hello George, just try: 

      python mimic-nepstats.py

      Regards.

  • Eyal

    Hey Guys,

    Did everyone try to catch PHP injections (RFI/LFI) using this solution? any luck?

    Thanks.

    • http://bruteforce.gr Ion

      Hello Eyal.

      Dionaea is basically a malware collector (mostly SMB/CIFS, port 445). If you want to catch web exploits you’ll have to setup a relevant web app honeypot like Glastopf and/or Google Hack Honeypot (GHH).

      Regards.

  • George

    Hi Ion,

    I have this capture:

    Statistics engine written by Andrew Waite - http://www.infosanity.co.uk

    Number of submissions: 2
    Number of unique samples: 1
    Number of unique source IPs: 2

    First sample seen: 2012-10-10 10:19:55.058578
    Last sample seen: 2012-10-10 10:23:13.870710
    System Uptime: 0:03:18.812132

    Most recent submissions:
    2012-10-10 10:23:13.870710, x.x.x.1, http://x.x.x.1:2122/zcgrvkwr, 68dc0e03e843cbeeb6430c50d0b9fdfe
    2012-10-10 10:19:55.058578, x.x.x.2, http://x.x.x.2:4379/hcunw, 68dc0e03e843cbeeb6430c50d0b9fdfe

    What is the analysis of this result?

    Note: x.x.x.1 and x.x.x.2 are internal IP addresses.

    • http://bruteforce.gr Ion

      Hello George, well… It is what it is actually :)

      Your honeypot was attacked and two binaries have tried to spread over to your system from two different IPs. Those two binaries were identical, as only one unique sample was captured. You could see this file locally at /opt/dionaea/var/dionaea/binaries. The other stats I think are self-explanatory.

      May I ask what’s the purpose behind your honeypot setup? Are you trying to catch malware for analysis, is it a project or something?

      Regards.

      • George

        The purpose is to monitor malicious traffic on the network of the organization and catch malware. It’s actually a project. Can you give me your email to explain more in detail?

        Regards.

  • George

    Hi Ion,

    Maybe, Do you know any honeypot that currently capture malware successfully?

    Have you heard about Surfnetids? Have you used it?
    http://ids.surfnet.nl/wiki/doku.php

    Regards.

    • http://bruteforce.gr Ion

      Hello George.

      Dionaea is actually a good tool from my experience. There are other malware honeypots like Amun but I think Dionaea is the standard for hobbyists and analysts.

      SurfIDS is not a honeypot but a distributed IDS. You setup sensors across the network and they all send data back to it. But it can work with honeypots and for example you can connect Dionaea or Amun instances to it and see their results through its web interface, etc.

      Regards.

  • George

    Hi Ion,

    I have questions regarding Honeyd and Kippo.

    Honeyd as Kippo both work the same way that Dionaea? Emulate services and capture malware? Where store the malware?

    I can do work Amun and Honeyd in the same host?

    I can do work Dionaea and Kippo in the same host?

    Regards.

    • http://bruteforce.gr Ion

      Hey George… Lots of questions… :)

      Kippo is only a SSH service emulator. So it doesn’t have anything to do with self-propagating malware.
      Yes, you can have as many honeypots you want on the same host, but you’ll have to configure which ports each one uses so there won’t be any conflicts.

      Regards.

  • George

    Hi Ion,

    Thank you very much. :)

    I have Dionaea installed on a host that is on VLAN 4. Dionaea monitors only Vlan(4) or the entire network of the organization? How do I have to configure Dionaea to monitor traffic from several VLANs of the organization?

    Regards.

    • http://bruteforce.gr Ion

      Hello George, this is not a Dionaea-related question but a networking-related one. Dionaea can see only whatever can reach its IP. So, if the host is not accessible from the outside, you must place it in a place like the DMZ, or otherwise forward the ports used by Dionaea, etc. I’d suggest you talk with the person in charge of networking for the organization. Regards.

      Edit: I have read again your previous comment about using Dionaea to monitor traffic from malware *inside* the organization. So, you won’t have to place the host in the DMZ or forward ports, but again you’ll have to talk with the network manager to sort this out. Catching malware in a segmented network with a single Dionaea host is difficult of course, so I guess you will most likely end up using many Dionaea hosts (for example one in each VLAN) and monitor all of them with a tool like SURFids.

  • George

    Hi Ion,

    Thank you very much for your answer.

    I have installed Dionaea on three different machines with different VLANs, for over a month.
    The problem I have is that they do not capture malware.
    A host only captured a single binary, but after that nothing.

    Regards.

    • http://bruteforce.gr Ion

      Hello George, this could simply mean that there are no malware in the internal network.

      From the result above (mimic-nepstats) it seems that at least a single malware binary (Conficker variant) has managed to penetrate into the network. Because Dionaea only downloads a single instance of each unique malware sample, check the SQLite database to see if your system receives new connections from it, but since it already has the sample it does not download it again. If this is the case, it means that there are some computers (at least x.x.x.1 and x.x.x.2) infected from that specific worm and that is all. No other malware exists inside the specific network/VLAN or no other malware tries to spread itself and that’s why Dionaea hasn’t catch anything else.

      Regards.

  • Pingback: Hack.lu 2012 Wrap-Up Day #2 | /dev/random()

  • George

    Hi Ion,

    Please, I have another question.
    The binaries captured by Dionaea are stored in “/opt/dionaea/var/dionaea/binaries/”. However, there is another directory called “/opt/dionaea/var/dionaea/bistreams/”. What good is this directory? What data is stored here?

    Regards.

    • http://bruteforce.gr Ion

      Hello George.

      The bistreams folder contain the bidirectional streams, ie what data went in and out of the honeypot for each attack. They are saved in a special format and can be replayed with a tool like tcpreplay (haven’t tried it myself though).

      Regards.

  • Erik Giraldo

    Hello Ion, hope you still paying attention to this post. I’m a little lost with Dionaea, what I need is to setup a honeynet, collect data and import it to somewhere else. What I can see in the basic configuration for Dionaea I can see I can emulate some services, but, I want to know if there is a deeper tutorial in how to use all the sections of dionaea.conf and also if Dionaea is a good choice for a Honeynet.

    • http://bruteforce.gr/ Ion

      Hello Erik. Yes I am always paying attention to honeypot-related topics :)

      First things first, about Dionaea, the config file I think is mostly self-explanatory inside. I don’t have any great tips to offer you, except to read the comments inside and perhaps the documentation (there is not much though).

      Having said that about Dionaea, let’s go the Honeynet issue. You see, a honeynet is mostly a type of architecture and it belongs to the class of High Interaction honeypots. Now, the problem is that Dionaea is not a high interaction but rather a medium interaction honeypot. FYI, the only thing you can do with Dionaea is to effectivelly store locally malicious binary samples. If that’s all you want to accomplish, then fine. But, if you want more, you’ll have to look for other solutions in the field of honeynets/high interaction honeypots. If that is the case let me suggest these resources:
      http://old.honeynet.org/papers/honeynet/
      https://projects.honeynet.org/honeywall/
      http://seat.massey.ac.nz/projects/honeynet/honeynet.htm

      Let me know if that helps you.
      Regards.

      • emgiraldo

        Hell Ion, thanks a lot for your answer. According to the http://seat.massey.ac.nz/projects/honeynet/honeynet.htm, a medium interactive honypot go a little bit further and allows the attacker to interact more with the emulated services, from this point of view whata I want is to extract usefull information about the steps that an attacker follows for exploiting a vulnerability. By using Dionaea, couldnt I get this information? Does not dionaea emulates services and stores useful information in sql lite and a log file? Could I extract the information from these data stores? According to this, you definitely recommend me to setup a hight interactive honepot? Thanks a lot for your reply and the attention payed.

      • http://bruteforce.gr/ Ion

        Hello again.

        Hm, it all depends on what you are trying to accomplish.

        Yes, Dionaea can interact with the attacker, in the sense that it can reply and send back specially crafted packages that emulate those of a real service/protocol (in our case mostly SMB/CIFS). BUT, bare in mind that in Dionaea’s case the “attacker” is not human 9.9 out of 10 times, but rather a self-propagating worm like Conficker. So, you can get this info you say above (see the “Logging” section on Dionaea’s page: dionaea.carnivore.it for an example) but you have to know what you end up with (ie mostly the same type of SMB exploit over and over and over again, not anything fancy). As I said, Dionaea is used mostly to catch malware and store them locally for further analysis by malware analysts etc.

        To really monitor human attackers you can setup high interaction honeypots that captures everything (using the honeywall Roo CDROM etc), or even medium interaction honeypots like Kippo SSH honeypot (and utilize the visualization tools I have written as well - by the way Dionaea also has a good visualization tool, see this:http://bruteforce.gr/visualizing-dionaeas-results-with-dionaeafr.html).

        Regards.

  • Guest

    fg

  • Guest

    Can we install Dionaea by quick install (PPA) and instal DionaeaFR ?
    Does it works correctly?

  • shahrooz

    Hi ion,

    Can we install Dionaea by quick install (PPA) and instal DionaeaFR ?
    Does it works correctly?

    • http://bruteforce.gr/ Ion

      Hi Shahrooz, yes there is a PPA available, see instructions here: http://devwerks.net/2013/03/10/install-dionaea-on-ubuntu-12-04-lts-precise-pangolin/

      Regards,
      Ion

      • shahrooz

        Dear Ion, Thanks a lot for your answer!

        I installed Dionaea by PPA & It’s working.

        Now, I want to do some malware analysis! Is there any simple way to collect the malware such as that PPA? I coudn’t implement any sandbox with this PPA dionaea!

        Thanks again.

      • http://bruteforce.gr/ Ion

        Hello shahrooz,

        I don’t quite understand what you mean. The simplest way to collect malware with Dionaea is to simple leave it running on your server. Malware will eventually find you.

        BUT, if you want to quickly download various malware binaries to try some malware analysis techniques, it’s faster and better to use a tool like mwcrawler: https://github.com/technoskald/mwcrawler (always inside a VM of course).

        Regards,
        Ion

      • shahrooz

        Dear Ion

        Hi, I implemented Dionaea (by PPA method) and it’s working correctly, but I want to generate some statistics about the malwares that are attacked to my dionaea. I used virustotal, but virustotal didn’t send me any feedback!!!

        1) I am looking for a sandbox that works with my Dionaea to generate some statistcs about the attacks.

        2) I used this command for p0f:
        sudo -k su -c ‘p0f -i any -u root -Q /tmp/p0f.sock -q -l -t -o /var/log/p0f.log -d && chown root:nogroup /tmp/p0f.sock && chmod g+w /tmp/p0f.sock’

        Do you know how to see p0f.sock ? because the Cat command doesn’t show the contents of p0f.sock file!!!

        Thanks a million, I really appreciate your helps.

      • http://bruteforce.gr/ Ion

        Hi shahrooz,

        if you enable submission to automated malware analysis engines like Norman Sandbox and Anubis (in the dionaea.conf file) then you’ll start getting emails back. Of course you should also change the email address in the config file as well, otherwise you are not going to receive any! From my experience, these emails can be slow to receive at first (for example, you can have your honeypot running for a few days, and only start to receive emails afterwards).

        VirusTotal is not the same as the above mentioned sandboxes. First of all make sure that you have entered your VirusTotal API key in the config file and enabled it. Then, VirusTotal results are not going to emailed or shown to you, but they will be logged inside the logsql.sqlite database itself. In order to see those you have to use a tool like PHPLiteAdmin. Make sure to install this in order to be able to see the database results.

        p0f results are also logged inside this SQLite DB as well, you don’t need to check any separate files (especially not the sock file, this is not readable — the only file that has some value for you and you can see e.g. with tail -f, is the /var/log/p0f.log).

        Regards,
        Ion

      • shahrooz

        Dear Ion,

        Thanks a million for all of your helps. I really appreciate it.

        My Dionaea is operating for a week. Now, I see thousands of attacks (Attack IDs) to my dionaea in my dionaea log file and Bistream directory also, but I don’t know why my Binaries directory is empty? Does it mean the attackers can easily detect my honeypot?

        On one hand, attackers attack my system, on the other hand I don’t see any binaries !!!!

        I am running my Dionaea over VMware and I put it in the DMZ of my home ADSL modem!

        Thanks again,

        Regards,

        Shahrooz

      • http://bruteforce.gr/ Ion

        Hi Shahrooz,

        I think that this is happening because many ISPs block public access to port 445 (used by SMB/CIFS, and is the main way Dionaea gathers malware). I had the same problem once.

        It’s better to setup Dionaea on a VPS. You can find cheap ones online for that.

        Regards, Ion.

      • shahrooz

        Dear Ion

        Thanks a million for your helps.

        I faced a wired problem, My Dionaea is working correctly over VPS now and it’s collecting the attack information in the log files, and Sandboxes are informing me about binary attacks, but my logsql.sqlite file is almost empty, some important tables such as “Connection” table is completely empty, but “dcerpcserviceops” table have some data.

        Have you faced a problem like this, or do you have any experience about this issue.

        Regards,
        Shahrooz

      • http://bruteforce.gr/ Ion

        Hi Shahrooz,

        nice to hear that your system is actually working :)

        For the problem you are mentioning, first make sure that you have enabled sqlite logging in Dionaea’s config file. It should be in the “ihandlers” section I think. Check it and let us know.

        Regards, Ion.

      • shahrooz

        Hi Ion

        Thanks to you because of your helps and supports.

        sqlite logging is enabled in ihandler, but the problem is strange, because logsql.sqlite is not empty!!!

        Some tables like dcerpcserviceops are full of records,but some important tables such as connection table is empty.

        Regards,
        Shahrooz

  • Jeremy

    Is there a tutorial that shows how to use Dionaea once it is installed? I have installed Dionaea in a test environment and I have had success
    getting it to start. With that said however I have received the
    following errors when I do run it:

    processor processor.c:346-warning: bistreams/2013-10-1 bistreams/%Y-%m-%d/

    python module.c:330-warning start module.c (needs to be started? how?)

    ihandlers dionaea/ihandlers.py:60-
    warning: START THE IHANDLERS (uncommented the “//” in the .conf still getting this error)

    log signals.c:48-warning: sigint_cb loop0xb7745440 w 0xa015c00 revents 1024

    chroot root has to match workingdir, try -r /var/dionaea/ (tried following this, still get the same error message)

    Additionally I would like to know how to read the output of Dionaea in SQLite. I appreciate in advance any advice/guidance

    • http://bruteforce.gr/ Ion

      Hi Jeremy, thanks for your message.

      Unfortunately I’m not able to provide much assistance with your errors, it’s the first time I see them.

      When running Dionaea though (and provided that you’ve installed correctly), here are some general guidelines:

      A) Edit the config file and take care of these:
      1) Change the logging levels to “all,-debug”.
      2) Enter your own email in the associated field in order to receive results from automated malware identification engines (Norman Sandbox, Anubis, etc).
      3) Uncomment the following ihandlers: logsql, p0f.
      4) (if needed) Go up and change the networking mode to “manual” and then enter your correct network interface in the addrs field, eg eth0 = [“0.0.0.0”].

      B) Start p0f first:
      p0f -i any -Q /tmp/p0f.sock -l -d -o /var/log/p0f.log

      C) Start Dionaea:
      /opt/dionaea/bin/dionaea -D -l all,-debug -L ‘*’ –p /opt/dionaea/var/run/dionaea.pid

      You can then monitor its operation by tailing p0f’s log for example:
      tail -f /var/log/p0f.log

      Also, in order to see the contents of Dionaea’s SQLite database you can use a program like PHPLiteAdmin. Download it, place it in your server’s document root and then edit the source to make it look for databases where Dionaea’s logsql.sqlite file resides. Otherwise you can use DionaeaFR: http://bruteforce.gr/visualizing-dionaeas-results-with-dionaeafr.html

      If everything else fails, you can always use HoneyDrive 0.2, which has all the above already installed and preconfigured :)

      Regards,
      Ion

  • DiBa

    Hello,

    I am trying to trigger a file download in dionaea but whatever exploits i throw at it i cannot seem to succeed. I have received files from attackers but i want to simulate it through metasploit.
    Can anyone help?

    Thanks.

  • Saurabh Chamotra

    hii i am using the multiple deployments of dionaea , i need help in merging and creating a unified database at a central location
    .Kindly suggest me how to address this problem

    • http://bruteforce.gr/ Ion

      Hi, Dionaea writes to a local sqlite database. So you can’t actually use a centralized db. What you can do is: a) take a bunch of local sqlite dbs and merge them together afterwards (not sure if it will be fast, easy, etc or not — you’ll have to figure out how to preserve ids/keys), b) write code to add a MySQL/other database logger, and then just configure many instances to send to the same server.

      • Saurabh Chamotra

        well that’s what exactly i am thinking to do ! Adding a key to uniquely identify the dionaea nodes .Also do u have any idea about the nature of traltion between the three dionanea tables
        1)mysql_commands 2) mysql_command_args 3)mysql_command_ops

More in Honeypots, Malware
Kippo-Graph 0.6.2 released.
Kippo reveals itself with ‘w’ and ‘uptime’ commands
Kippo2MySQL v0.1.1 update
Kippo-Graph and Kippo2MySQL update
Kippo2MySQL v0.1, populate a MySQL DB with data from Kippo logs!
Close