Monday, August 30, 2010

Dionaea, First Impressions

Dionaea is a new honeypot application, the successor to Nepenthes, a low interaction honeypot. Dionaea is still a bit rough around the edges. The compiling and installation instructions are quite good. I would not install the optional openssl step via cvs though with a Debian or Ubuntu distribution. When I did, I got a segmentation fault in the libcrypto.so library. I did get dionaea to work the second attempt on a clean Ubuntu 10.04 x86_64 virtual machine. Installing the OS and the application takes about 1.5 hours. I am having trouble accessing the sqlite database. The readlogsqltree.py script works once you copy the modules directory from where you built it into the /opt/dionaea directory, and point the script to that location. However, I got no output or errors. Documentation is almost nonexistent since the application is still alpha code essentially. The honeypot is working according to the dionaea.log, but the dionaea.log file is even more cryptic than nepenthes.log.

Here are some preliminary data:

grep established dionaea.log | grep -v debug | grep -v 192.168.1.8 | awk '{ print $1, $2, $8 }' | uniq -c | sort -n | grep -v established | grep -v binding.c
1 [29082010 16:37:39] [192.168.1.12:135->71.53.70.248:1861]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:1861]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:2047]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:2047]
1 [29082010 16:37:40] [192.168.1.12:59895->71.53.70.248:0]
1 [29082010 16:38:14] [192.168.1.12:445->71.123.126.104:3062]
1 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59894]
1 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:59894]
1 [29082010 21:38:15] [192.168.1.12:1957->71.123.126.104:3865]
1 [29082010 21:38:16] [192.168.1.12:1957->71.123.126.104:3865]
1 [29082010 21:38:16] [192.168.1.12:40904->]
1 [29082010 21:38:16] [192.168.1.12:40904->71.123.126.104:22352]
1 [29082010 21:38:16] [192.168.1.12:445->71.123.126.104:3062]
1 [29082010 21:38:26] [192.168.1.12:40904->71.123.126.104:22352]
1 [29082010 21:39:40] [192.168.1.12:59895->71.53.70.248:69]
1 [29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50973]
1 [29082010 21:44:40] [192.168.1.12:445->71.97.10.85:50973]
1 [29082010 21:52:07] [192.168.1.12:135->222.186.27.80:4716]
1 [29082010 21:52:08] [192.168.1.12:135->222.186.27.80:4716]
2 [29082010 16:37:39] [192.168.1.12:135->71.53.70.248:1796]
2 [29082010 16:37:40]
2 [29082010 16:38:14] [192.168.1.12:445->71.123.126.104:2950]
2 [29082010 20:38:38] [192.168.1.12:80->77.220.185.190:56928]
2 [29082010 20:38:38] [192.168.1.12:80->77.220.185.190:56979]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57031]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57084]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57140]
2 [29082010 20:38:40] [192.168.1.12:80->77.220.185.190:57199]
2 [29082010 20:38:40] [192.168.1.12:80->77.220.185.190:57256]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57312]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57364]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57419]
2 [29082010 20:38:42] [192.168.1.12:80->77.220.185.190:57475]
2 [29082010 20:38:42] [192.168.1.12:80->77.220.185.190:57523]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57583]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57643]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57704]
2 [29082010 20:38:44] [192.168.1.12:80->77.220.185.190:57762]
2 [29082010 20:38:44] [192.168.1.12:80->77.220.185.190:57817]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57873]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57934]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57987]
2 [29082010 20:38:46] [192.168.1.12:80->77.220.185.190:58045]
2 [29082010 20:38:46] [192.168.1.12:80->77.220.185.190:58101]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58161]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58214]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58262]
2 [29082010 20:38:48] [192.168.1.12:80->77.220.185.190:58322]
2 [29082010 20:38:48] [192.168.1.12:80->77.220.185.190:58373]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58447]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58505]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58565]
2 [29082010 20:38:50] [192.168.1.12:80->77.220.185.190:58626]
2 [29082010 20:38:50] [192.168.1.12:80->77.220.185.190:58681]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58735]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58793]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58850]
2 [29082010 20:38:52] [192.168.1.12:80->77.220.185.190:58909]
2 [29082010 20:38:52] [192.168.1.12:80->77.220.185.190:58964]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59024]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59080]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59133]
2 [29082010 20:38:54] [192.168.1.12:80->77.220.185.190:59201]
2 [29082010 20:38:54] [192.168.1.12:80->77.220.185.190:59250]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59310]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59371]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59429]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59490]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59544]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59600]
2 [29082010 20:38:57] [192.168.1.12:80->77.220.185.190:59656]
2 [29082010 20:38:57] [192.168.1.12:80->77.220.185.190:59714]
2 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59773]
2 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59834]
2 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:59963]
2 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:60017]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60078]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60131]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60187]
2 [29082010 20:39:01] [192.168.1.12:80->77.220.185.190:60250]
2 [29082010 20:39:01] [192.168.1.12:80->77.220.185.190:60313]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60373]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60431]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60491]
2 [29082010 20:39:03] [192.168.1.12:80->77.220.185.190:60553]
2 [29082010 20:39:03] [192.168.1.12:80->77.220.185.190:60614]
2 [29082010 20:39:04] [192.168.1.12:80->77.220.185.190:60676]
2 [29082010 20:39:04] [192.168.1.12:80->77.220.185.190:60745]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60805]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60867]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60925]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:32812]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:32871]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:60990]
2 [29082010 20:39:07] [192.168.1.12:80->77.220.185.190:32935]
2 [29082010 20:39:07] [192.168.1.12:80->77.220.185.190:32999]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33061]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33120]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33177]
2 [29082010 20:39:09] [192.168.1.12:80->77.220.185.190:33233]
2 [29082010 20:39:09] [192.168.1.12:80->77.220.185.190:33302]
2 [29082010 20:39:10] [192.168.1.12:80->77.220.185.190:33369]
2 [29082010 20:39:10] [192.168.1.12:80->77.220.185.190:33427]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33497]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33556]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33614]
2 [29082010 20:39:12] [192.168.1.12:80->77.220.185.190:33674]
2 [29082010 20:39:12] [192.168.1.12:80->77.220.185.190:33732]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33795]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33855]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33914]
2 [29082010 20:39:14] [192.168.1.12:80->77.220.185.190:33977]
2 [29082010 20:39:14] [192.168.1.12:80->77.220.185.190:34039]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34102]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34161]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34221]
2 [29082010 20:39:16] [192.168.1.12:80->77.220.185.190:34282]
2 [29082010 20:39:16] [192.168.1.12:80->77.220.185.190:34341]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34406]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34467]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34525]
2 [29082010 20:39:18] [192.168.1.12:80->77.220.185.190:34592]
2 [29082010 20:56:51] [192.168.1.12:80->64.126.23.234:53897]
2 [29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50969]
2 [29082010 23:20:25] [192.168.1.12:1433->61.164.148.33:5002]

grep established dionaea.log | grep -v debug | grep -v 192.168.1.8 | awk '{ print $1, $2, $8 }' | uniq -c | sort -n | grep -v established | grep -v binding.c | grep 77.220.185.190 | wc -l
102

IP address 77.220.185.190 performed 102 attacks on port 80 in 40 seconds. It was obviously an automated attack, but I have no idea what tool performed the attack. The IP address maps to Moscow, Russia at the MNOGOBYTE colocation service.

grep sip dionaea.log
[29082010 19:50:44] sip dionaea/sip.py:827-info: SIP Session created
[29082010 19:50:44] sip dionaea/sip.py:801-debug: ('192.168.1.12', 5060, '202.103.52.147', 5060): b'OPTIONS sip:100@ SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.9:5060;branch=z9hG4bK-24798344;rport\r\nContent-Length: 0\r\nFrom: "sipsscuser"; tag=47165868797092908688927622311368018385018985010\r\nAccept: application/sdp\r\nUser-Agent: sundayddr\r\nTo: "sipssc"\r\nContact: sip:100@192.168.1.9:5060\r\nCSeq: 1 OPTIONS\r\nCall-ID: 267264826399318751054824843\r\nMax-Forwards: 70\r\n\r\n'
[29082010 19:50:44] sip dionaea/sip.py:1072-info: Received OPTIONS
[29082010 19:50:44] sip dionaea/sip.py:898-debug: Sending message "SIP/2.0 200 OK
To: "sipsscuser"; tag=47165868797092908688927622311368018385018985010
From: 100
Contact: 100
[29082010 19:50:44] sip dionaea/sip.py:962-debug: io_in: returning 409
[30082010 01:15:34] sip dionaea/sip.py:827-info: SIP Session created
[30082010 01:15:34] sip dionaea/sip.py:801-debug: ('192.168.1.12', 5060, '125.88.105.44', 5060): b'OPTIONS sip:100@ SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.9:5060;branch=z9hG4bK-13198307;rport\r\nContent-Length: 0\r\nFrom: "sipsscuser"; tag=19358999374944096893129611830352363137663012687\r\nAccept: application/sdp\r\nUser-Agent: sundayddr\r\nTo: "sipssc"\r\nContact: sip:100@192.168.1.9:5060\r\nCSeq: 1 OPTIONS\r\nCall-ID: 267264826399345328022532865\r\nMax-Forwards: 70\r\n\r\n'
[30082010 01:15:34] sip dionaea/sip.py:1072-info: Received OPTIONS
[30082010 01:15:34] sip dionaea/sip.py:898-debug: Sending message "SIP/2.0 200 OK
To: "sipsscuser"; tag=19358999374944096893129611830352363137663012687
From: 100
Contact: 100


Dionaea can handle sip attacks. Some people in China (202.103.52.147 maps to the CHINANET Hubei province network and 125.88.105.44 maps to CHINANET Guangdong province network) have modified sipvicious, altered the User Agent to sundayddr, and are probing various networks looking for private PBXs to hijack.

Dionaea is quite promising, but it's still very much a work in progress. It'll be a while before there's a Debian or RPM binary package for it.

Labels:


Comments:
Hi,
I'm aware of the cryptic nature of text logs.
Try readlogsql, for more information on the internal sqlite db: http://carnivore.it/start?btng[post][tags]=sqlite

Markus
 
Dear Markus,

Thanks for the tip. You need to edit the /etc/logrotate.d/dionaea example configuration in your blog and add
copytruncate to it. When dionaea creates new log files and rotates the old ones it seems to be unable to write to the new log files. I'm testing that tweak now. I'm also checking out sqliteman that your blog recommended, but I'm a neophyte when it comes to querying databases. And I've signed up for your dionaea mailing list, but it's oddly quiet. Maybe I goofed up the registration.

John
 
For logrotate, either copytruncate, or make sure the directory dionaea writes too, is owned by the user you change to, should be mentioned in the docs.

For sql, start with readlogsqltree.py (in modules/python/util).

./readlogsqltree.py -t $(date '+%s')-7*24*3600 /opt/dionaea/var/dionaea/logsql.sqlite

will show the attacks for the last 24h hours, nicely structured, at least thats the idea.

For the ml, it is ultra low volume, yes, nothing I could change anyway.


Markus
 
Markus,

Thank you. You've been more than helpful. I'll provide feedback shortly.

Sincerely,

John
 
Markus,

The program's h option states that using the r option for the chroot environment makes writing entries into the sqlite database difficult, yet when I leave off the r option, I've discovered that no logging occurs whatsoever. No further entries are written to the dionaea.log file after initial startup, which is even more annoying. I need to play around with the application some more obviously.

John
 
If you change user, make sure the user you change to is allowed to write *all* directories where dionaea usally writes to.

Else, you HUP dionaea and remove the logfile, dionaea closes the logfile, and can't open a new one.
 
Dear Markus,

My main problem was not removing the logfile after giving the app the HUP signal. The app is writing to both log files and the sqlite database now which is a relief. I was worried that I had botched the installation.

Thanks for taking the time to troubleshoot the issue,

John
 
This is the script i'm running every 10 mins on crontab

# This is a script that will grep a log file and send an email when a specified patter is encountered.
# Author: Salman Bayat
errors=$(/home//python/Python-3.2.2/python /opt/dionaea/bin/readlogsqltree /opt/dionaea/var/dionaea/logsql.sqlite)
echo "$errors" > /tmp/current-errors.log

if [ -e "/tmp/prior-errors.log" ]
then echo "prior-errors.log Exists" > /dev/null
else
touch /tmp/prior-errors.log | echo "" > /tmp/prior-errors.log
fi

newentries=$(diff --suppress-common-lines -u /tmp/prior-errors.log /tmp/current-errors.log | grep '\+[0-9]')

if
test "$newentries" != "" && test "$errors" = ""
then echo "No New Errors" > /dev/null
elif
test "$newentries" != ""
then echo "$errors" | mail -s "WARNING:Private Home Honepot "
echo "$errors" > /tmp/prior-errors.log
fi
 
This little script works nicely, sends me an email of the output of the readlogstree.py. I run a cron every 5 mins (home private network sensor for me) for an immediate alert.

# This is a script that will grep a log file and send an email when a specified patter is encountered.
# Author: Salman Bayat
errors=$(/home//python/Python-3.2.2/python /opt/dionaea/bin/readlogsqltree /opt/dionaea/var/dionaea/logsql.sqlite)
echo "$errors" > /tmp/current-errors.log

if [ -e "/tmp/prior-errors.log" ]
then echo "prior-errors.log Exists" > /dev/null
else
touch /tmp/prior-errors.log | echo "" > /tmp/prior-errors.log
fi

newentries=$(diff --suppress-common-lines -u /tmp/prior-errors.log /tmp/current-errors.log | grep '\+[0-9]')

if
test "$newentries" != "" && test "$errors" = ""
then echo "No New Errors" > /dev/null
elif
test "$newentries" != ""
then echo "$errors" | mail -s "WARNING:Private Home Honepot "
echo "$errors" > /tmp/prior-errors.log
fi


 
Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?