«

»

Jan 08 2012

Some Dionaea statistics

Categories:

Honeypots, Malware, Visualization

by Ion

I thought I should share some statistics from the Dionaea honeypot, after ~4 days of operation.

My dionaea.log file is around 135MB, the SQLite database is around 68MB, and the system downloaded 45MB of malware. Automatic uploading to VirusTotal did not work for some reason though.

Using Infosanity’s script , here is the output:

python mimic-nepstats.py
Statistics engine written by Andrew Waite - www.infosanity.co.uk
Number of submissions: 21923
Number of unique samples: 205
Number of unique source IPs: 473
First sample seen: 2012-01-04 22:50:12.268572
Last sample seen: 2012-01-08 23:18:50.717549
System Uptime: 4 days, 0:28:38.448977
Average daily submissions: 5480
Most recent submissions:
2012-01-08 23:18:50.717549, 77.253.165.169, http://77.253.165.169:6015/fdqnmrfc, 78c9042bbcefd65beaa0d40386da9f89
2012-01-08 23:18:40.942690, 89.132.115.66, http://89.132.115.66:6028/bfnmzb, 0c059b0d1d5a03f69a21185987c17d5c
2012-01-08 23:18:27.638438, 186.92.211.27, http://186.92.211.27:3229/mxxyknng, 393e2e61ff08a8f7439e3d2cfcb8056f
2012-01-08 23:18:10.518064, 178.151.189.78, http://178.151.189.78:7117/pasxx, 9500da313ac9708847c5f920325027e3
2012-01-08 23:17:23.842580, 77.253.165.169, http://77.253.165.169:6015/fdqnmrfc, 78c9042bbcefd65beaa0d40386da9f89

And here are the results of the gnuplotsql script:

./python3.2 gnuplotsql -d /opt/dionaea/var/dionaea/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd

Related posts:

  1. Starting with Dionaea malware honeypot
  2. Dionaea-Vagrant demo
  3. Visualizing Dionaea’s results with DionaeaFR
  4. Vagrant configuration for Dionaea malware honeypot
  5. Dionaea-Vagrant

Tags:

  • Pingback: Securing a server with Artillery » BruteForce Lab's Blog()

  • Will

    Quick results! Can I ask if you did anything to generate traffic? I have been running a honeypot for a while now (1-2 months) and it has far fewer hits. And certainly far far fewer binary downloads.

    • Ion

      Hello Will. No, nothing in particular. Have you setup the honeypot on a VPS? Because I think some ISPs might filter certain ports if it is home based. Other than that, I wonder whether IP/address space plays a role but I don’t have any info on that.

  • haisu

    when i run gnuplotsql as
    ./python3.2 /opt/dionaea/modules/python/util/gnuplotsql.py -d /home/haisu/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd

    then ,error
    root@honeypot2:/opt/dionaea/bin# ./python3.2 /opt/dionaea/modules/python/util/gnuplotsql.py -d /home/haisu/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd
    Traceback (most recent call last):
    File “/opt/dionaea/modules/python/util/gnuplotsql.py”, line 3, in
    import sqlite3
    File “/opt/dionaea/lib/python3.2/sqlite3/__init__.py”, line 23, in
    from sqlite3.dbapi2 import *
    File “/opt/dionaea/lib/python3.2/sqlite3/dbapi2.py”, line 26, in
    from _sqlite3 import *
    ImportError: No module named _sqlite3

    i have install sqlite 3 aready.but why ?

    • Ion

      Hello Haisu. It worked fine for me (Ubuntu 11.04 32 bit) so I’m not entirely sure.
      According to this: http://comments.gmane.org/gmane.comp.python.db.sqlite.user/304
      you will have to install the libsqlite3-dev package and perhaps recompile Python 3.2 afterwards (see: http://dionaea.carnivore.it/#install_python). That’s all the help I can offer right now.

  • Carlos AG

    Hi, great post. May I ask you something?

    I have deployed several honeypots on vps in different ISPs on different locations (Europe, Asia and America) for a thesis project

    After a week, I have connections, but no binaries. I wonder If I have doing something wrong or this is just a matter of luck. Apparentyl It’s running fine.. I have dionaea with p0f and both work together with no errors.

    From my laptop I have tried an automated vulnerabilities scan with metasploit but after scan says “7 services runnning, 0 vulnerabilities identified”, which sounds wierd to me because I though it would be easily exploitable.

    Could you give me a hand?

    Thanks

  • Carlos AG

    Hi, great post. May I ask you something?

    I have deployed several honeypots on vps in different ISPs on different locations (Europe, Asia and America) for a thesis project

    After a week, I have connections, but no binaries. I wonder If I have doing something wrong or this is just a matter of luck. Apparentyl It’s running fine.. I have dionaea with p0f and both work together with no errors.

    From my laptop I have tried an automated vulnerabilities scan with metasploit but after scan says “7 services runnning, 0 vulnerabilities identified”, which sounds wierd to me because I though it would be easily exploitable.

    Could you give me a hand?

    Thanks

    • Ion

      Hello Carlos, thanks for your interest. It’s strange that you receive no binaries. It has been some time since I have last deployed Dionaea into production mode but I remember something similar happening once. It turned out that worms were offering binaries but my system was unable to get them because it was missing some packages. Those in question were the well-known curl utility and also the libcurl package if I remember correctly. Check that you have both. Regards.

      • Carlos AG

        Hi Ion, thanks for replying.
        Yes, I have curl and libcurl3 installed.

        This is the script I used to install dionaea in every vps.
        http://pastebin.com/zCbDpkL9
        The script is very straightforward, but…

      • Ion

        Hello Carlos, any updates on your issue? Have you managed to find the problem yet? Regards.

      • Carlos AG

        I Ion thanks for asking, yes, now my honeypot is capturing :). I updated packages on my install script and reinstall all from scratch and it started capturing soon. I don’t think that outdated packages were the problem, but it worked for me.

        Now I have a lot of samples, but the wierd thing is that most of them, even flagged as Win32 EXE and detected as malicious by VT, cannot run if I add .exe extension. My goal was capture malware ans see how they behave in “real” enviorment, but most of them looks junk. Is this normal?

      • Ion

        Hello Carlos, can you share a screenshot of ‘file *’ executed inside your binaries directory? Are you sure they are executable files and not DLL files? I am saying this because from my experience, 99% of the captured files were variants of the Conficker worm which spreads as a DLL file, hence you cannot run it directly. I suggest you also enable automatic submission to Norman Sandbox, Anubis and VirusTotal inside Dionaea’s config in order to get results. Regards, Ion.

      • Carlos AG

        You are right Ion, most of them are show for example
        0850949288794dc856f1d6bfc841f29b: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows. Now I have found some flagged as (GUI). I’m gonna play with those xD.

        And yes I upload all to VT, it’s a pity that dionaea uses its old API, the new one offers much more heh

        Thanks!

      • Carlos AG

        You are right Ion, most of them are show for example
        0850949288794dc856f1d6bfc841f29b: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows. Now I have found some flagged as (GUI). I’m gonna play with those xD.

        And yes I upload all to VT, it’s a pity that dionaea uses its old API, the new one offers much more heh

        Thanks!

      • xsallowed

        Hi Carlos can you share your installation script!
        I am stuck with same problem

More in Honeypots, Malware, Visualization
Starting with Dionaea malware honeypot
Kippo-Graph 0.6.2 released.
Kippo reveals itself with ‘w’ and ‘uptime’ commands
Kippo2MySQL v0.1.1 update
Kippo-Graph and Kippo2MySQL update
Close