I felt carniwwwhore needs some visuals, so I've been playing with pychart lately, and I wanted to point out some aspects of the data which are easily accessible with carniwwwhore.
The data used here was gathered using the anonymous xmpp sensor network, which is not that exact as source, as users may nmap their own scanner for testing purposes, or fail to install properly.
The code which generates charts for the data is not in git yet, but all charts are plain copies from 'what exists' already.
distribution of the top 100 rejects for the last 2 weeks
The top 10 of the top 100 rejects make a large chunk of the total.
| # | port | count | … |
|---|---|---|---|
| 1 | 15436 | 16540 | unknown |
| 2 | 139 | 11311 | netbios |
| 3 | 9415 | 8687 | proxy? |
| 4 | 1080 | 1449 | proxy |
| 5 | 4899 | 1127 | radmin |
| 6 | 445 | 762 | smb - dionaea should serve this |
| 7 | 25 | 754 | smtp |
| 8 | 27977 | 723 | proxy? |
| 9 | 3389 | 716 | rdp |
| 10 | 23 | 714 | telnet |
| 11 | 1433 | 677 | mssql - dionaea should serve this |
| 12 | 2967 | 302 | big yellow |
| 13 | 5900 | 242 | vnc |
For tcp/port 15436 I have no idea what is meant to be served on the port, the distribution of the top 100 hosts looks like this:
distribution of the top 100 rejected hosts for tcp/port 15436 for the last 2 weeks
tcp/port 9415 was more interesting, google told me it was the port of the koobface proxy.
distribution of the top 100 rejected hosts for tcp/port 9415 for the last 2 weeks
So I had a look on the distribution of attacks over the last 6 months for 9415 and 15436:
attacks on tcp/port 9415 for the last 6 months
attacks on tcp/port 15436 for the last 6 months
While the proxy scans were dominated by some hosts, attacks on mssql tcp/port 1433
served attacks on tcp/port 1433 for the last 6 months
had a much more even distribution:
distribution of the top 100 served hosts for tcp/port 1433 for the last 6 months
at least, until one looks at the data for the last week, which is dominated too:
distribution of the top 100 served hosts for tcp/port 1433 for the last 2 weeks
Had more to write, but need to catch a train now.
Got to love christmas.
2
Hello, I have a machine running Dionaea. I tested it with metasploit particularly with the exploit MS04-11 and MS08_067 and noticed through the execution log Dionaea the attempted attack is detected but no session is created. The worst is that the Dionaea gathers no binary file, send nothing to the virus total or to the norman sandbox. What is it that is escaping me?!
I have uncommented ihandler virus total and curiously does not work.
3
I really wonder why people comment on totally unrelated post in the blog to complain about problems, without providing any useful information which could be used to reproduce and help out, instead of sending a simple mail to the mailing list, choosing an appropriate topic, providing information gathered from the logs and all the required bits to reproduce.
That said, given the information provided, I can't help you.
Markus
interesting, i'll hope to have the time to install and test this just after xmas holyday.