carniwwwhore is meant to be a webinterface for dionaea's postgres database which is fed over xmpp. To start with, you can convert your current logsql sqlite database to postgres, instructions are included. carniwwwhore is written in python2.x using django. If you experience problems following the guide, post a comment with your solution, or at least a good description, so I can update the instructions.
A common problem seems to be understanding the overall setup, so I used asciiflow to brighten the darkness.
created using asciiflow and ditaa.
This post relates to the 'webinterface' box in the diagram, refer to these 'resources' for the other boxes:
aptitude install python-django python-psycopg2 python-numpy python-pygame python-pychart python-pythonmagick
If your distribution lacks a recent django version, try installing a more recent package from your distributions more recent version. Simply grab the package and install using dpkg -i python-django_1.2.3-*_all.deb. Worked fine for me.
For debian lenny, you are lost, as the python version (2.5) is too old.
Install postgres
apt-get install postgresql
create a database user 'xmpp'
sudo -u postgres createuser --no-createdb --encrypted --login --pwprompt --no-createrole --no-superuser xmpp
Allow the database user local login (your config path may differ):
local xmpp xmpp md5 # <- add this line local all all ident
/etc/postgresql/8.4/main/pg_hba.conf
Restart postgres to have the changes taking effekt
sudo /etc/init.d/postgresql restart
Create the database xmpp
sudo -u postgres createdb --owner xmpp xmpp
Create the tables - this requires the pg_schema.sql from a dionaea checkout
psql -U xmpp xmpp < PATH/dionaea/modules/python/util/xmpp/pg_schema.sql
For a start it is possible (and recommended) to convert the logsql database to postgres, this requires a python3 interpreter and py-postgresql which is python3 postgres binding as well as the logsql2postgres script from dionaea/modules/python/util/logsql2postgres.py.
If you lack a sqlite database, you can grab the berlin database from the ftp server to start with some data. Be aware you'll miss some data when using the berlin tables, for example the virustotal database does not even exist in the dump, as it was added later on, and you'll have to run dionaea on the berlin database, so dionaea can update the database to current format and apply some fixes.
It is recommended to copy the database and import the copy, else the database may change during the operation, and get inconsistent. To copy the db, stop dionaea, copy /opt/dionaea/var/dionaea/logsql.sqlite to /tmp and use the copy.
If your distributions lacks, you can refer to dionaeas guide how to install it.
I assume you have python3 installed in /opt/dionaea/ …
wget http://python.projects.postgresql.org/files/py-postgresql-1.0.2.tar.gz tar zxvf py-postgresql-1.0.2.tar.gz cd py-postgresql-1.0.2/ sudo /opt/dionaea/bin/python3 setup.py install
Now we can shovel the data from the logsql.sqlite database to the postgres database, be aware the logsql2postgres script does not allow incremental database updates as it will *clean* all data in the tables. You can even use a remote postgres database etc, just specify the host/username.
time dionaea/modules/python/util/logsql2postgres.py -s localhost -d xmpp -u xmpp -p MYPASSWORD -f /tmp/logsql.sqlite connections dcerpcservices dcerpcrequests downloads emu_profiles p0fs dcerpcserviceops dcerpcbinds offers emu_services mssql_fingerprints logins mssql_commands virustotals virustotalscans
Do not forget to adjust your password in the command, I know it is rather bad having a password visible in the processes list, if you object enough to create a fix, send me a patch.
Depending on the size of your database, this command will take a while, starting with some minutes …
You'll love it, as it requires you to setup an xmpp server, and link dionaea to this xmpp service, so you can connect a backend into this xmpp service which writes the data to the database.
For a guide how to do so, refer to the xmpp server docs.
Be aware the data received by xmpp is only a subset of the data received by logsql.
Adding the missing bits to logxmpp and pg_backend is a 
.
Now we got all requirements fulfilled and can start installing carniwwwhore itself.
mkdir /opt cd /opt git clone git://git.carnivore.it/carniwwwhore.git
Adjust your database settings in settings.py
cp settings.py-example settings.py
editor settings.py
# adjust
# DATABASES = {
# 'default': {
# 'ENGINE': 'django.db.backends.postgresql_psycopg2',
# 'NAME': 'xmpp',
# 'USER' : 'xmpp',
# 'PASSWORD' : 'test',
# }
Start the django webserver:
cd /opt/carniwwwhore python manage.py runserver
point your browser to http://127.0.0.1:8000/dionaea
firefox http://127.0.0.1:8000/dionaea
The 'ore comes with a django.wsgi file, which can be used to run it from apache.
An example Apache config file may look like this:
<VirtualHost *:80> ServerName HOSTNAME:80 ServerAdmin webmaster@localhost Alias /robots.txt /opt/carniwwwhore/template/v2/static/robots.txt Alias /favicon.ico /opt/carniwwwhore/template/v2/static/favicon.ico AliasMatch ^/static/(.*) /opt/carniwwwhore/template/v2/static/$1 <Directory /opt/carniwwwhore/template/v2/static> Order deny,allow Allow from all </Directory> DocumentRoot /var/www WSGIScriptAlias / /opt/carniwwwhore/django.wsgi ErrorLog ${APACHE_LOG_DIR}/HOSTNAME-error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/HOSTNAME-access.log combined </VirtualHost>
/etc/apache2/sites-enabled/HOSTNAME
Activate the new virtual host and restart Apache:
a2ensite HOSTNAME /etc/init.d/apache2 restart
Running from Apache it is recommended to:
# Django settings for carniwwwhore project. #DEBUG = True DEBUG = False TEMPLATE_DEBUG = DEBUG ADMINS = ( # ('Your Name', 'your_email@domain.com'), ('webmaster','webmaster@HOSTNAME'), ) SERVER_EMAIL = 'ore@HOST'
example for changes to settings.py
In case of 500 (internal server error) django will send a email to all addresses listed as ADMIN then.
NOTE You'll have to restart Apache for config changes and updates.
Problems :
As I'm totally aware it looks ugly, there are no screenshots.
I'll post screenshots, once there is a better presentation of the data, starting with valid html.
I really like the overview, as it is reasonable fast, and I think it provides a good insight in whats going on by comparing current data to previous data. You can apply filters and 'zoom' in the aggregated data from the years overview to the hour overview, to spot peaks and switch to the dionaea/attacks overview for a list of attacks from the hour view.
List attacks with filters on all kinds of details.
Render all details for a single attack.
Lists the downloads, can be grouped by timeslot and filtered by md5hash, neat to spot for how long a given sample is active.
Lists all virustotal details we know about the malware received.
Given the current look and feel, I'd really appreciate if somebody would come up with some other templates, even if your templates are just proper html, this is already an improvement to the current templates.
If you are interested in contributing to carniwwhore, just send me your ssh pubkey accompanied by your first patchset, and I'll hook you up with git access, you can have your own tree or commit to master.
If you are new to django, like I am, read up on django by following their introduction:
If you want to improve the look&feel, you can do so easily by creating your own templates. The default templates are /opt/carniwwwhore/templates/dionaea/hateml/, if you want to create your own you can create a new directory copy over the ugly templates modify them:
cd /opt/carniwwwhore/ git cp templates/dionaea/hateml templates/dionaea/lovehtml/
Afterwards change the template path in settings.py to use your templates instead:
TEMPLATE_DIRS = (
'/opt/carniwwwhore/template/dionaea/lovehtml'
Even though all views need love, the downloads view needs even more love, if you want to get into writing views, improving the current views is a good start.
2
Markus,
functionality sounds great, and perfect timing as I'm starting a weeks vacation (one of these days I'll actually take time off and NOT touch a computer…).
As usual, thanks for the effort and sharing great tools.
–Andrew
4
Hi all when i run ( with python3.1 dionaea bin and default 2.5.2) :
debian:/opt/carniwwwhore# python manage.py reset
Error: cannot import name SpooledTemporaryFile
same with :
python manage.py runserver –pythonpath=/opt/dionaea/bin/ –traceback
Error: cannot import name SpooledTemporaryFile
any idea ? :(
5 For debian lenny, you are lost, as the python version (2.5) is too old.
You need 2.6, use squeeze.
6
@bLx: If you are forced to use python 2.5 you may try to replace SpooledTemporaryFile with TemporaryFile function. According to docs these two functions are almost the same ( http://docs.python.org/library/tempfile.html ).
Seems I managed to run carniwwwhore on python 2.5, but I haven't yet tested it enough.
7
When i am trying to migrate my logsql.sqlite to postgress i got his error :
postgresql.exceptions.StringRightTruncationError: value too long for type character varying(32)
CODE: 22001
LOCATION: File 'varchar.c', line 595, in varchar from SERVER
STATEMENT: [prepared]
sql_parameter_types:
['BIGINT', 'BIGINT', 'CHARACTER VARYING', 'CHARACTER VARYING', 'CHARACTER VARYING']
statement_id: py:0x300e5d0
string:
INSERT INTO dionaea.mssql_fingerprints
(
mssql_fingerprint,
connection,
mssql_fingerprint_hostname,
mssql_fingerprint_appname,
mssql_fingerprint_cltintname
)
VALUES
($1,$2,$3,$4,$5)
It look like there is something wrong with a field format no ? Any advice ? :s Is there a mailing list for this kind of question ? (i feel bad, spamming comments)
8
One of the vbalues is larger than 32 chars, either increase the fields size or truncate the values to 32 chars before inserting.
9
Excuse me sir,I have some question about carniwwwhore:
Does carniwwwhore installed in the same machine with dionaea? Because the part of postgres when create table this requires the pg-schema.sql it cannot be found..
Create the tables - this requires the pg_schema.sql from a dionaea checkout
“psql -U xmpp xmpp < PATH/dionaea/modules/python/util/xmpp/pg_schema.sql”
based on the text above I want to ask about where the PATH belongs to?
Regards,sichibukai
10
@sichibukai: No, you can waste multiple machines on the setup dionaea → xmpp → pg_backend → database ← webinterface. If this was a serious question, you have not understand what you are going to do. Good luck.
For the schema, start with basics: http://lmgtfy.com/?q=pg_schema.sql
11
hello sir, I see u hve shared a great tool here.. the carniwwwhore and dionaea is installed in different machine isn't it ? and where should I install “Migrate your logsql to postgres” ? Dionaea machine or Carniwwwhore ? Is it necessary to install apache2 in dionaea machine ? Thx for attention. Im newbie in linux and i was given project to use carniwwwhore. hope u can help. thx. God bless
12
And also, I have installed carniwwwhore in a server with ip public. before, i hve tried to install in virtual box and use the step then it works good. but when i run python manage.py runserver, it didn't work. And I still confused how can carniwwwhore connect with dionaea just with pg_schema ? can u expalain to me please ? im in project undergraduate. and hope u 're kind to help me.. thx. God bless
13
I mean after i ran “python manage.py runserver” and i go to the server's ip public ex : 192.168.70.1:8000, and then the browser just showed me unable to connect.
14
dionaea (logxmpp) → prosody (xmpp server) ← pg_backend → postgres (pg_schema) ← carniwwwhore
15
Regarding how to reach your carniwwwhore from the public IP, use SSH Port Forwarding to forward the 8000 traffic to your local machine. Then point your browser to that localhost:8000.
Ex: ssh -L 8000:localhost:8000 user@carniwwwhore-server
16
@rftm What is that mean ? how to connect them ? Please give me some important moves because i just learned linux for less than 14 days. thx for helping..
17
now I have a carniwwwhore worked.. but I have to copy losql.sqlte to /tmp and then send to carniwwwhore. is there a way to do that in simple way?I mean dionaea can export databse to carniwwwhore by itself..
18
hello,I have one problem when I run python manage.py runserver: from gheat import default_settings as gheat_settings File ”/home/user/Desktop/opt/carniwwwhore/gheat/init.py”, line 97, in <module>
for fname in os.listdir(_color_schemes_dir):
OSError: [Errno 2] No such file or directory: '/opt/carniwwwhore/gheat/etc/color-schemes'
Cannot find zhe file “color-schemes” ,but it exactly exists. And I copy your project into a directory named “opt”. What am i supposed to do Please help me, thank you.
19
It has to be /opt not /home/user/Desktop/opt - or adjust the config (settings.py) to match your pathes.
20
I got this error when I try to execute manage.py
Error: No module named carniwwwhore.gheat
22
Hello, if I have 3 dionaeas so where I have to run pg_backend.py script? in each dionaea server or just in the server that hosts prosody and postgress db? for your knowledge I installed prosody and postgres in on server.
Thank you
23
This is the error I've been getting trying copy the sql.lite database. I can connect to both from the command line with no problem but trying to run the command gives me the following –
Traceback (most recent call last):
File "/home/winnie/Downloads/dionaea/modules/python/util/logsql2postgres.py", line 374, in <module>
port = 5432)
File "/opt/dionaea/lib/python3.2/site-packages/postgresql/driver/__init__.py", line 14, in connect
return default.connect(*args, **kw)
File "/opt/dionaea/lib/python3.2/site-packages/postgresql/driver/pq3.py", line 3024, in connect
c.connect()
File "/opt/dionaea/lib/python3.2/site-packages/postgresql/driver/pq3.py", line 2545, in connect
self.typio.raise_client_error(could_not_connect, creator = self, cause = exc)
File "/opt/dionaea/lib/python3.2/site-packages/postgresql/driver/pq3.py", line 480, in raise_client_error
raise client_error
postgresql.exceptions.ClientCannotConnectError: could not establish connection to server
CODE: 08001
LOCATION: CLIENT
CONNECTION: [failed]
failures[0]:
SSL socket('127.0.0.1', 5432)
postgresql.exceptions.AuthenticationSpecificationError: password authentication failed for user "xmpp"
CODE: 28P01
LOCATION: File 'auth.c', line 302, in auth_failed from SERVER
failures[1]:
socket('127.0.0.1', 5432)
postgresql.exceptions.AuthenticationSpecificationError: password authentication failed for user "xmpp"
CODE: 28P01
LOCATION: File 'auth.c', line 302, in auth_failed from SERVER
CONNECTOR: [Host] pq://xmpp:***@localhost:5432/xmpp
category: None
DRIVER: postgresql.driver.pq3.Driver
–if someone could help I'd appreciate it not sure what I'm doing wrong.
24
solved it, don't put a !1 on the end of the password it does something where it calls back previous bash commands or something. I've never seen it before. Oh well, good lesson learned!
[…] 2010:11:27:carniwwwhore [carnivore news] […]