search

pwnlandia / mhn

Modern Honey Network
GNU Lesser General Public License v2.1
2.43k stars 631 forks source link

dionaea honeypot isn't listening? #46

Closed exabrial closed 10 years ago

exabrial commented 10 years ago

Ubuntu 12.04 LXC container running on top of Ubuntu 14.04. Deployed a dionaea honeypot and was expecting it to listen on multiple ports, like 3306. Is there a config problem or is it supposed to do this?

root@dionaea:/usr/local/bin# netstat -lp | grep dionaea
udp        0      0 *:47582                 *:*                                 318/dionaea
jatrost commented 10 years ago

Can you check dionaea's logs and see if there are any error messages?
/var/log/dionaea.* and /var/dionaea/log/*

If you find any that look relevant, please post here.

exabrial commented 10 years ago

/var/log/dionaea.* seems to be a configuration summary of some sort, whereas the log files in /var/dionaea/log/* are completely empty.

    jonathan.fisher@dionaea:/var/dionaea$ cat /var/log/dionaea.out 

Dionaea Version 0.1.0 
Compiled on Linux/x86_64 at Feb 10 2014 15:59:43 with gcc 4.6.3 
Started on dionaea running Linux/x86_64 release 3.13.0-32-generic

[04082014 14:23:21] dionaea dionaea.c:245: User nobody has uid 65534

[04082014 14:23:21] dionaea dionaea.c:264: Group nogroup has gid 65534

python
  sys_path
    0 = "default"
  imports
    0 = "log"
    1 = "services"
    2 = "ihandlers"
  ftp
    root = "wwwroot"
    active-ports = "63001-64000"
    active-host = "0.0.0.0"
  tftp
    root = "wwwroot"
  sip
    udp
      port = "5060"
    tcp
      port = "5060"
    tls
      port = "5061"
    users = "sipaccounts.sqlite"
    rtp
      enable = "yes"
      mode
        0 = "bistream"
        1 = "pcap"
      pcap
        path = "rtp/{personality}/%Y-%m-%d/"
        filename = "%H:%M:%S_{remote_host}_{remote_port}_in.pcap"
    personalities
      default
        domain = "localhost"
        name = "softphone"
        personality = "generic"
    actions
      bank-redirect
        do = "redirect"
      play-hello
        do = "play"
        params
          file = ".../file.ext"
  surfids
    sslmode = "require"
    host = "surfids.example.com"
    port = "5432"
    username = "surfids"
    password = "secret"
    dbname = "idsserver"
  virustotal
    apikey = "........."
    file = "vtcache.sqlite"
  mwserv
    url = ""
    maintainer = ""
    guid = ""
    secret = ""
  mysql
    databases
      information_schema
        path = ":memory:"
  submit_http
    url = ""
    email = ""
    user = ""
    pass = ""
  hpfeeds
    hp1
      server = "mhn"
      port = "10000"
      ident = "95d96cc0-1c0c-11e4-aa64-00163eec95e2"
      secret = "6ZkqD0NK4Z4k0Osh"
      dynip_resolve = "http://queryip.net/ip/"
  logsql
    mode = "sqlite"
    sqlite
      file = "logsql.sqlite"
  logxmpp
    carnivore
      server = "sensors.carnivore.it"
      port = "5223"
      muc = "dionaea.sensors.carnivore.it"
      username = "anonymous@sensors.carnivore.it"
      password = "anonymous"
      config
        anon-events
          events
            0 = "^dionaea\.connection\..*"
            1 = "^dionaea\.modules\.python\.smb.dcerpc\.*"
            2 = "^dionaea\.download\.offer$"
            3 = "^dionaea\.download\.complete\.hash$"
            4 = "^dionaea\.module\.emu\.profile$"
            5 = "^dionaea\.modules\.python\.mysql\.*"
            6 = "^dionaea\.modules\.python\.sip\.*"
            7 = "^dionaea\.modules\.python\.p0f\.*"
            8 = "^dionaea\.modules\.python\.virustotal\report"
          anonymous = "yes"
        anon-files
          events
            0 = "^dionaea\.download\.complete\.unique"
  nfq
    nfaction = "0"
    throttle
      window = "30"
      limits
        total = "30"
        slot = "30"
    timeouts
      server
        listen = "5"
      client
        idle = "10"
        sustain = "240"
  p0f
    path = "un:///tmp/p0f.sock"
  fail2ban
    downloads = "downloads.f2b"
    offers = "offers.f2b"
  ihandlers
    handlers
      0 = "ftpdownload"
      1 = "tftpdownload"
      2 = "emuprofile"
      3 = "cmdshell"
      4 = "store"
      5 = "uniquedownload"
      6 = "logsql"
      7 = "hpfeeds"
  services
    serve
      0 = "http"
      1 = "https"
      2 = "tftp"
      3 = "ftp"
      4 = "mirror"
      5 = "smb"
      6 = "epmap"
      7 = "sip"
      8 = "mssql"
      9 = "mysql"
processors
  filter-emu
    config
      allow
        0
          protocol
            0 = "smbd"
            1 = "epmapper"
            2 = "nfqmirrord"
            3 = "mssqld"
    next
      emu
        config
          emulation
            limits
              files = "3"
              filesize = "524288"
              sockets = "3"
              sustain = "120"
              idle = "30"
              listen = "30"
              cpu = "120"
              steps = "1073741824"
            api
              connect
                host = "127.0.0.1"
                port = "4444"
  filter-streamdumper
    config
      allow
        0
          type
            0 = "accept"
        1
          typ
Dionaea Version 0.1.0 
Compiled on Linux/x86_64 at Feb 10 2014 15:59:43 with gcc 4.6.3 
Started on dionaea running Linux/x86_64 release 3.13.0-32-generic

[04082014 14:23:38] dionaea dionaea.c:245: User nobody has uid 65534

[04082014 14:23:38] dionaea dionaea.c:264: Group nogroup has gid 65534

python
  sys_path
    0 = "default"
  imports
    0 = "log"
    1 = "services"
    2 = "ihandlers"
  ftp
    root = "wwwroot"
    active-ports = "63001-64000"
    active-host = "0.0.0.0"
  tftp
    root = "wwwroot"
  sip
    udp
      port = "5060"
    tcp
      port = "5060"
    tls
      port = "5061"
    users = "sipaccounts.sqlite"
    rtp
      enable = "yes"
      mode
        0 = "bistream"
        1 = "pcap"
      pcap
        path = "rtp/{personality}/%Y-%m-%d/"
        filename = "%H:%M:%S_{remote_host}_{remote_port}_in.pcap"
    personalities
      default
        domain = "localhost"
        name = "softphone"
        personality = "generic"
    actions
      bank-redirect
        do = "redirect"
      play-hello
        do = "play"
        params
          file = ".../file.ext"
  surfids
    sslmode = "require"
    host = "surfids.example.com"
    port = "5432"
    username = "surfids"
    password = "secret"
    dbname = "idsserver"
  virustotal
    apikey = "........."
    file = "vtcache.sqlite"
  mwserv
    url = ""
    maintainer = ""
    guid = ""
    secret = ""
  mysql
    databases
      information_schema
        path = ":memory:"
  submit_http
    url = ""
    email = ""
    user = ""
    pass = ""
  hpfeeds
    hp1
      server = "mhn"
      port = "10000"
      ident = "95d96cc0-1c0c-11e4-aa64-00163eec95e2"
      secret = "6ZkqD0NK4Z4k0Osh"
      dynip_resolve = "http://queryip.net/ip/"
  logsql
    mode = "sqlite"
    sqlite
      file = "logsql.sqlite"
  logxmpp
    carnivore
      server = "sensors.carnivore.it"
      port = "5223"
      muc = "dionaea.sensors.carnivore.it"
      username = "anonymous@sensors.carnivore.it"
      password = "anonymous"
      config
        anon-events
          events
            0 = "^dionaea\.connection\..*"
            1 = "^dionaea\.modules\.python\.smb.dcerpc\.*"
            2 = "^dionaea\.download\.offer$"
            3 = "^dionaea\.download\.complete\.hash$"
            4 = "^dionaea\.module\.emu\.profile$"
            5 = "^dionaea\.modules\.python\.mysql\.*"
            6 = "^dionaea\.modules\.python\.sip\.*"
            7 = "^dionaea\.modules\.python\.p0f\.*"
            8 = "^dionaea\.modules\.python\.virustotal\report"
          anonymous = "yes"
        anon-files
          events
            0 = "^dionaea\.download\.complete\.unique"
  nfq
    nfaction = "0"
    throttle
      window = "30"
      limits
        total = "30"
        slot = "30"
    timeouts
      server
        listen = "5"
      client
        idle = "10"
        sustain = "240"
  p0f
    path = "un:///tmp/p0f.sock"
  fail2ban
    downloads = "downloads.f2b"
    offers = "offers.f2b"
  ihandlers
    handlers
      0 = "ftpdownload"
      1 = "tftpdownload"
      2 = "emuprofile"
      3 = "cmdshell"
      4 = "store"
      5 = "uniquedownload"
      6 = "logsql"
      7 = "hpfeeds"
  services
    serve
      0 = "http"
      1 = "https"
      2 = "tftp"
      3 = "ftp"
      4 = "mirror"
      5 = "smb"
      6 = "epmap"
      7 = "sip"
      8 = "mssql"
      9 = "mysql"
processors
  filter-emu
    config
      allow
        0
          protocol
            0 = "smbd"
            1 = "epmapper"
            2 = "nfqmirrord"
            3 = "mssqld"
    next
      emu
        config
          emulation
            limits
              files = "3"
              filesize = "524288"
              sockets = "3"
              sustain = "120"
              idle = "30"
              listen = "30"
              cpu = "120"
              steps = "1073741824"
            api
              connect
                host = "127.0.0.1"
                port = "4444"
  filter-streamdumper
    config
      allow
        0
          type
            0 = "accept"
        1
          typ
Dionaea Version 0.1.0 
Compiled on Linux/x86_64 at Feb 10 2014 15:59:43 with gcc 4.6.3 
Started on dionaea running Linux/x86_64 release 3.13.0-32-generic

[05082014 07:52:48] dionaea dionaea.c:245: User nobody has uid 65534

[05082014 07:52:48] dionaea dionaea.c:264: Group nogroup has gid 65534

python
  sys_path
    0 = "default"
  imports
    0 = "log"
    1 = "services"
    2 = "ihandlers"
  ftp
    root = "wwwroot"
    active-ports = "63001-64000"
    active-host = "0.0.0.0"
  tftp
    root = "wwwroot"
  http
    root = "wwwroot"
    max-request-size = "32768"
  sip
    udp
      port = "5060"
    tcp
      port = "5060"
    tls
      port = "5061"
    users = "sipaccounts.sqlite"
    rtp
      enable = "yes"
      mode
        0 = "bistream"
        1 = "pcap"
      pcap
        path = "rtp/{personality}/%Y-%m-%d/"
        filename = "%H:%M:%S_{remote_host}_{remote_port}_in.pcap"
    personalities
      default
        domain = "localhost"
        name = "softphone"
        personality = "generic"
    actions
      bank-redirect
        do = "redirect"
      play-hello
        do = "play"
        params
          file = ".../file.ext"
  surfids
    sslmode = "require"
    host = "surfids.example.com"
    port = "5432"
    username = "surfids"
    password = "secret"
    dbname = "idsserver"
  virustotal
    apikey = "........."
    file = "vtcache.sqlite"
  mwserv
    url = ""
    maintainer = ""
    guid = ""
    secret = ""
  mysql
    databases
      information_schema
        path = ":memory:"
  submit_http
    url = ""
    email = ""
    user = ""
    pass = ""
  hpfeeds
    hp1
      server = "mhn"
      port = "10000"
      ident = "95d96cc0-1c0c-11e4-aa64-00163eec95e2"
      secret = "6ZkqD0NK4Z4k0Osh"
      dynip_resolve = "http://queryip.net/ip/"
  logsql
    mode = "sqlite"
    sqlite
      file = "logsql.sqlite"
  logxmpp
    carnivore
      server = "sensors.carnivore.it"
      port = "5223"
      muc = "dionaea.sensors.carnivore.it"
      username = "anonymous@sensors.carnivore.it"
      password = "anonymous"
      config
        anon-events
          events
            0 = "^dionaea\.connection\..*"
            1 = "^dionaea\.modules\.python\.smb.dcerpc\.*"
            2 = "^dionaea\.download\.offer$"
            3 = "^dionaea\.download\.complete\.hash$"
            4 = "^dionaea\.module\.emu\.profile$"
            5 = "^dionaea\.modules\.python\.mysql\.*"
            6 = "^dionaea\.modules\.python\.sip\.*"
            7 = "^dionaea\.modules\.python\.p0f\.*"
            8 = "^dionaea\.modules\.python\.virustotal\report"
          anonymous = "yes"
        anon-files
          events
            0 = "^dionaea\.download\.complete\.unique"
  nfq
    nfaction = "0"
    throttle
      window = "30"
      limits
        total = "30"
        slot = "30"
    timeouts
      server
        listen = "5"
      client
        idle = "10"
        sustain = "240"
  p0f
    path = "un:///tmp/p0f.sock"
  fail2ban
    downloads = "downloads.f2b"
    offers = "offers.f2b"
  ihandlers
    handlers
      0 = "ftpdownload"
      1 = "tftpdownload"
      2 = "emuprofile"
      3 = "cmdshell"
      4 = "store"
      5 = "uniquedownload"
      6 = "logsql"
      7 = "hpfeeds"
  services
    serve
      0 = "http"
      1 = "https"
      2 = "tftp"
      3 = "ftp"
      4 = "mirror"
      5 = "smb"
      6 = "epmap"
      7 = "sip"
      8 = "mssql"
      9 = "mysql"
processors
  filter-emu
    config
      allow
        0
          protocol
            0 = "smbd"
            1 = "epmapper"
            2 = "nfqmirrord"
            3 = "mssqld"
    next
      emu
        config
          emulation
            limits
              files = "3"
              filesize = "524288"
              sockets = "3"
              sustain = "120"
              idle = "30"
              listen = "30"
              cpu = "120"
              steps = "1073741824"
            api
              connect
                host = "127.0.0.1"
                port = "4444"
  filter-streamdumper
    config
      allow
        0
    jonathan.fisher@dionaea:/var/dionaea$
jatrost commented 10 years ago

I was able to replicate. I am working on an new script, but in the meantime, you should be able to get it working by doing the following:

Find this section in /etc/dionaea/dionaea.conf:

            services = {
                    serve = ["http", "https", "tftp", "ftp", "mirror", "smb", "epmap", "sip","mssql", "mysql"]
            }

Replace with:

            services = {
                    serve = ["tftp", "ftp", "mirror", "smb", "epmap", "sip","mssql", "mysql"]
            }

Then run:

sudo supervisorctl restart dionaea
sudo netstat -luntp | grep dionaea
exabrial commented 10 years ago

Can you post the whole file? Didn't work...

exabrial commented 10 years ago

I noticed in that file I could turn on debug and info logging... here it is:

jonathan.fisher@dionaea:/var/dionaea/log$ cat dionaea.log 

[08082014 19:20:29] curl module.c:610-debug: curl_new
[08082014 19:20:29] curl module.c:665-info: curl version 7.22.0 features:gss,idn,ipv6,largefile,ntlm,ssl,libz protocols:dict,file,ftp,ftps,gopher,http,https,imap,imaps,ldap,pop3,pop3s,rtmp,rtsp,smtp,smtps,telnet,tftp 
[08082014 19:20:29] incident incident.c:172-debug: ihandler_new pattern dionaea.download.offer cb 0x7fcc635e3c30 ctx (nil)
[08082014 19:20:29] incident incident.c:174-debug: ihandler 0x1f45630 pattern dionaea.download.offer cb 0x7fcc635e3c30 ctx (nil)
[08082014 19:20:29] incident incident.c:172-debug: ihandler_new pattern dionaea.upload.request cb 0x7fcc635e3c30 ctx (nil)
[08082014 19:20:29] incident incident.c:174-debug: ihandler 0x1f456d0 pattern dionaea.upload.request cb 0x7fcc635e3c30 ctx (nil)
[08082014 19:20:29] emu module.c:61-debug: emu_new
[08082014 19:20:29] pcap pcap.c:354-debug: pcap_new
[08082014 19:20:29] pcap pcap.c:207-debug: pcap_prepare
[08082014 19:20:29] pcap pcap.c:226-debug: node any
[08082014 19:20:29] pcap pcap.c:245-debug: name eth0
[08082014 19:20:29] pcap pcap.c:249-debug:  flags 0
[08082014 19:20:29] pcap pcap.c:280-debug:  
[08082014 19:20:29] pcap pcap.c:263-debug:      PF_INET
[08082014 19:20:29] pcap pcap.c:265-debug:          addr 192.168.127.148
[08082014 19:20:29] pcap pcap.c:267-debug:          netmask 192.168.127.148
[08082014 19:20:29] pcap pcap.c:269-debug:          bcast 192.168.127.148
[08082014 19:20:29] pcap pcap.c:280-debug:  
[08082014 19:20:29] pcap pcap.c:245-debug: name any
[08082014 19:20:29] pcap pcap.c:247-debug:  description Pseudo-device that captures on all interfaces
[08082014 19:20:29] pcap pcap.c:249-debug:  flags 0
[08082014 19:20:29] pcap pcap.c:245-debug: name lo
[08082014 19:20:29] pcap pcap.c:249-debug:  flags 1
[08082014 19:20:29] pcap pcap.c:280-debug:  
[08082014 19:20:29] pcap pcap.c:263-debug:      PF_INET
[08082014 19:20:29] pcap pcap.c:265-debug:          addr 127.0.0.1
[08082014 19:20:29] pcap pcap.c:267-debug:          netmask 127.0.0.1
[08082014 19:20:29] pcap pcap.c:280-debug:  
[08082014 19:20:29] pcap pcap.c:293-debug: bpf filter any: tcp[tcpflags] & tcp-rst != 0 and tcp[4:4] = 0  and ( src host 192.168.127.148 or src host 127.0.0.1  )
[08082014 19:20:29] pcap pcap.c:321-debug: pcap_device any is nonblocking 
[08082014 19:20:29] pcap pcap.c:334-debug: linktype LINUX_SLL Linux cooked
[08082014 19:20:29] pcap pcap.c:364-debug: starting pcap_device any 0x1f45a20
[08082014 19:20:29] python module.c:357-debug: new module.c 0x1ef4820
[08082014 19:20:29] python module.c:361-debug: Python Interpreter /usr/bin/python3.2
[08082014 19:20:29] python module.c:393-debug: running sys.path.insert(0, '/usr/lib/dionaea/python/') default
[08082014 19:20:29] asn1fields dionaea/smb/include/asn1fields.py:177-debug: i2s {0: 'completed', 1: 'incomplete', 2: 'reject'}
[08082014 19:20:29] asn1fields dionaea/smb/include/asn1fields.py:178-debug: s2i {'completed': 0, 'incomplete': 1, 'reject': 2}
[08082014 19:20:29] asn1fields dionaea/smb/include/asn1fields.py:358-debug: self.choice {48: <class 'dionaea.smb.include.gssapifields.NegTokenInit'>}
[08082014 19:20:29] connection connection.c:277-debug: connection_bind con 0x28948a0 addr :: port 69 iface eth0
[08082014 19:20:29] connection connection.c:181-warning: socket() failed for con 0x28948a0 97 (Address family not supported by protocol)
[08082014 19:20:29] python module.c:842-debug: traceable_error_cb con 0x28948a0 error 4
[08082014 19:20:29] connection connection.c:4273-debug: connection_protocol_ctx_get con 0x28948a0 data 0x7fcc5d6db190
[08082014 19:20:29] connection connection.c:648-debug: connection_free con 0x28948a0
[08082014 19:20:29] ftp dionaea/ftp.py:200-debug: ftp test
[08082014 19:20:29] connection connection.c:277-debug: connection_bind con 0x2895030 addr :: port 21 iface eth0
[08082014 19:20:29] connection connection.c:389-debug: connection_listen con 0x2895030 len 20
[08082014 19:20:29] connection connection.c:181-warning: socket() failed for con 0x2895030 97 (Address family not supported by protocol)
[08082014 19:20:29] python module.c:842-debug: traceable_error_cb con 0x2895030 error 4
[08082014 19:20:29] connection connection.c:4273-debug: connection_protocol_ctx_get con 0x2895030 data 0x27dd870
[08082014 19:20:29] connection connection.c:648-debug: connection_free con 0x2895030
[08082014 19:20:29] connection connection.c:277-debug: connection_bind con 0x2895ba0 addr :: port 42 iface eth0
[08082014 19:20:29] connection connection.c:389-debug: connection_listen con 0x2895ba0 len 20
[08082014 19:20:29] connection connection.c:181-warning: socket() failed for con 0x2895ba0 97 (Address family not supported by protocol)
[08082014 19:20:29] python module.c:842-debug: traceable_error_cb con 0x2895ba0 error 4
[08082014 19:20:29] connection connection.c:4273-debug: connection_protocol_ctx_get con 0x2895ba0 data 0x27dd910
[08082014 19:20:29] mirror dionaea/mirror.py:88-debug: mirrord connection error?, should not happen
[08082014 19:20:29] python module.c:1001-warning: AttributeError at 'mirrord' object has no attribute 'peer'
[08082014 19:20:29] python module.c:1026-warning: /usr/lib/dionaea/python/dionaea/mirror.py:89 in handle_error
[08082014 19:20:29] python module.c:1027-warning:    if self.peer:
[08082014 19:20:29] python module.c:1026-warning: binding.pyx:785 in dionaea.core.handle_error_cb (binding.c:6830)
[08082014 19:20:29] python module.c:1027-warning:    None
[08082014 19:20:29] connection connection.c:648-debug: connection_free con 0x2895ba0
[08082014 19:20:29] connection connection.c:277-debug: connection_bind con 0x2897620 addr :: port 445 iface eth0
[08082014 19:20:29] connection connection.c:389-debug: connection_listen con 0x2897620 len 20
[08082014 19:20:29] connection connection.c:181-warning: socket() failed for con 0x2897620 97 (Address family not supported by protocol)
[08082014 19:20:29] python module.c:842-debug: traceable_error_cb con 0x2897620 error 4
[08082014 19:20:29] connection connection.c:4273-debug: connection_protocol_ctx_get con 0x2897620 data 0x27dd9b0
[08082014 19:20:29] connection connection.c:648-debug: connection_free con 0x2897620
[08082014 19:20:29] connection connection.c:277-debug: connection_bind con 0x2899e10 addr :: port 135 iface eth0
[08082014 19:20:29] connection connection.c:389-debug: connection_listen con 0x2899e10 len 20
[08082014 19:20:29] connection connection.c:181-warning: socket() failed for con 0x2899e10 97 (Address family not supported by protocol)
[08082014 19:20:29] python module.c:842-debug: traceable_error_cb con 0x2899e10 error 4
[08082014 19:20:29] connection connection.c:4273-debug: connection_protocol_ctx_get con 0x2899e10 data 0x27dda50
[08082014 19:20:29] connection connection.c:648-debug: connection_free con 0x2899e10
[08082014 19:20:29] sip dionaea/sip/__init__.py:558-debug: <dionaea.sip.SipSession object at 0x27ddbe0> __init__
[08082014 19:20:29] sip dionaea/sip/__init__.py:564-info: SIP Session created with personality 'default'
[08082014 19:20:29] connection connection.c:277-debug: connection_bind con 0x289aab0 addr :: port 5061 iface eth0
[08082014 19:20:29] connection connection.c:389-debug: connection_listen con 0x289aab0 len 20
[08082014 19:20:29] connection connection.c:181-warning: socket() failed for con 0x289aab0 97 (Address family not supported by protocol)
[08082014 19:20:29] python module.c:842-debug: traceable_error_cb con 0x289aab0 error 4
[08082014 19:20:29] connection connection.c:4273-debug: connection_protocol_ctx_get con 0x289aab0 data 0x27ddbe0
[08082014 19:20:29] connection connection.c:648-debug: connection_free con 0x289aab0
[08082014 19:20:29] sip dionaea/sip/__init__.py:558-debug: <dionaea.sip.SipSession object at 0x27ddcd0> __init__
[08082014 19:20:29] sip dionaea/sip/__init__.py:564-info: SIP Session created with personality 'default'
[08082014 19:20:29] connection connection.c:277-debug: connection_bind con 0x289d500 addr :: port 5060 iface eth0
[08082014 19:20:29] connection connection.c:181-warning: socket() failed for con 0x289d500 97 (Address family not supported by protocol)
[08082014 19:20:29] python module.c:842-debug: traceable_error_cb con 0x289d500 error 4
[08082014 19:20:29] connection connection.c:4273-debug: connection_protocol_ctx_get con 0x289d500 data 0x27ddcd0
[08082014 19:20:29] connection connection.c:648-debug: connection_free con 0x289d500
[08082014 19:20:29] connection connection.c:389-debug: connection_listen con 0x289d500 len 20
[08082014 19:20:29] sip dionaea/sip/__init__.py:558-debug: <dionaea.sip.SipSession object at 0x27ddaf0> __init__
[08082014 19:20:29] sip dionaea/sip/__init__.py:564-info: SIP Session created with personality 'default'
[08082014 19:20:29] connection connection.c:277-debug: connection_bind con 0x289e880 addr :: port 5060 iface eth0
[08082014 19:20:29] connection connection.c:389-debug: connection_listen con 0x289e880 len 20
[08082014 19:20:29] connection connection.c:181-warning: socket() failed for con 0x289e880 97 (Address family not supported by protocol)
[08082014 19:20:29] python module.c:842-debug: traceable_error_cb con 0x289e880 error 4
[08082014 19:20:29] connection connection.c:4273-debug: connection_protocol_ctx_get con 0x289e880 data 0x27ddaf0
[08082014 19:20:29] connection connection.c:648-debug: connection_free con 0x289e880
[08082014 19:20:29] connection connection.c:277-debug: connection_bind con 0x289f1e0 addr :: port 1433 iface eth0
[08082014 19:20:29] connection connection.c:389-debug: connection_listen con 0x289f1e0 len 20
[08082014 19:20:29] connection connection.c:181-warning: socket() failed for con 0x289f1e0 97 (Address family not supported by protocol)
[08082014 19:20:29] python module.c:842-debug: traceable_error_cb con 0x289f1e0 error 4
[08082014 19:20:29] connection connection.c:4273-debug: connection_protocol_ctx_get con 0x289f1e0 data 0x27dddc0
[08082014 19:20:29] connection connection.c:648-debug: connection_free con 0x289f1e0
[08082014 19:20:29] connection connection.c:277-debug: connection_bind con 0x289fd30 addr :: port 3306 iface eth0
[08082014 19:20:29] connection connection.c:389-debug: connection_listen con 0x289fd30 len 20
[08082014 19:20:29] connection connection.c:181-warning: socket() failed for con 0x289fd30 97 (Address family not supported by protocol)
[08082014 19:20:29] python module.c:842-debug: traceable_error_cb con 0x289fd30 error 4
[08082014 19:20:29] connection connection.c:4273-debug: connection_protocol_ctx_get con 0x289fd30 data 0x27dde10
[08082014 19:20:29] connection connection.c:648-debug: connection_free con 0x289fd30
[08082014 19:20:29] ftp dionaea/ftp.py:932-debug: ftpdownloadhandler ready!
[08082014 19:20:29] incident incident.c:172-debug: ihandler_new pattern dionaea.download.offer cb 0x7fcc5e36ca10 ctx 0x2856170
[08082014 19:20:29] incident incident.c:174-debug: ihandler 0x28a05e0 pattern dionaea.download.offer cb 0x7fcc5e36ca10 ctx 0x2856170
[08082014 19:20:29] incident incident.c:172-debug: ihandler_new pattern dionaea.download.offer cb 0x7fcc5e36ca10 ctx 0x28562d8
[08082014 19:20:29] incident incident.c:174-debug: ihandler 0x28c3e90 pattern dionaea.download.offer cb 0x7fcc5e36ca10 ctx 0x28562d8
[08082014 19:20:29] emu dionaea/emu.py:41-debug: emuprofilehandler ready!
[08082014 19:20:29] incident incident.c:172-debug: ihandler_new pattern dionaea.module.emu.profile cb 0x7fcc5e36ca10 ctx 0x2856320
[08082014 19:20:29] incident incident.c:174-debug: ihandler 0x28a10f0 pattern dionaea.module.emu.profile cb 0x7fcc5e36ca10 ctx 0x2856320
[08082014 19:20:29] cmd dionaea/cmd.py:397-debug: cmdshellhandler ready!
[08082014 19:20:29] incident incident.c:172-debug: ihandler_new pattern dionaea.service.shell.* cb 0x7fcc5e36ca10 ctx 0x2856368
[08082014 19:20:29] incident incident.c:174-debug: ihandler 0x2655440 pattern dionaea.service.shell.* cb 0x7fcc5e36ca10 ctx 0x2856368
[08082014 19:20:29] store dionaea/store.py:40-debug: storehandler ready!
[08082014 19:20:29] incident incident.c:172-debug: ihandler_new pattern dionaea.download.complete cb 0x7fcc5e36ca10 ctx 0x28563b0
[08082014 19:20:29] incident incident.c:174-debug: ihandler 0x28b4e60 pattern dionaea.download.complete cb 0x7fcc5e36ca10 ctx 0x28563b0
[08082014 19:20:29] test dionaea/test.py:40-debug: uniquedownloadihandler ready!
[08082014 19:20:29] incident incident.c:172-debug: ihandler_new pattern dionaea.download.complete.unique cb 0x7fcc5e36ca10 ctx 0x28563f8
[08082014 19:20:29] incident incident.c:174-debug: ihandler 0x2476150 pattern dionaea.download.complete.unique cb 0x7fcc5e36ca10 ctx 0x28563f8
[08082014 19:20:29] logsql dionaea/logsql.py:43-debug: logsqlhandler ready!
[08082014 19:20:29] hpfeeds dionaea/hpfeeds.py:218-debug: hpfeedhandler init
[08082014 19:20:29] hpfeeds dionaea/hpfeeds.py:120-debug: hpclient init
[08082014 19:20:29] connection connection.c:1001-debug: connection_connect con 0x28cc030 addr mhn port 10000 iface 
[08082014 19:20:29] connection connection.c:4074-debug: connection_connect_resolve con 0x28cc030
[08082014 19:20:29] connection connection.c:4075-debug: submitting dns mhn
[08082014 19:20:29] incident incident.c:365-debug: reporting 0x24761d0
[08082014 19:20:29] incident incident.c:354-debug: incident 0x24761d0 dionaea.connection.tcp.connect
[08082014 19:20:29] incident incident.c:167-debug:  con: (ptr) 0x28cc030
[08082014 19:20:29] incident incident.c:172-debug: ihandler_new pattern * cb 0x7fcc5e36ca10 ctx 0x2856ef0
[08082014 19:20:29] incident incident.c:174-debug: ihandler 0x28cdb10 pattern * cb 0x7fcc5e36ca10 ctx 0x2856ef0
[08082014 19:20:29] hpfeeds dionaea/hpfeeds.py:227-debug: You are missing the python pyev binding in your dionaea installation.
[08082014 19:20:29] incident incident.c:172-debug: ihandler_new pattern dionaea.*.mkshell cb 0x7fcc5e36a130 ctx (nil)
[08082014 19:20:29] incident incident.c:174-debug: ihandler 0x264a4c0 pattern dionaea.*.mkshell cb 0x7fcc5e36a130 ctx (nil)
[08082014 19:20:29] dionaea dionaea.c:729-debug: Creating processors tree
[08082014 19:20:29] processor processor.c:17-debug: processors_tree_create tree 0x1f23630 node 0x1ef96e0 key filter-emu
[08082014 19:20:29] processor processor.c:17-debug: processors_tree_create tree 0x1f23660 node 0x1efe090 key emu
[08082014 19:20:29] emu detect.c:61-debug: proc_emu_ctx_cfg_new node 0x1efe0e0
[08082014 19:20:29] emu detect.c:107-debug:  files 3 filesize 524288 sockets 3 steps 1073741824 idle 30.000000 listen 30.000000 sustain 120.000000 cpu 120.000000 
[08082014 19:20:29] processor processor.c:17-debug: processors_tree_create tree 0x1f23630 node 0x1efe6d0 key filter-streamdumper
[08082014 19:20:29] processor processor.c:17-debug: processors_tree_create tree 0x1f236c0 node 0x1efed30 key streamdumper
[08082014 19:20:29] processor processor.c:346-warning: bistreams/2014-08-08/ <-> bistreams/%Y-%m-%d/
[08082014 19:20:29] processor processor.c:74-debug:      filter
[08082014 19:20:29] processor processor.c:74-debug:          emu
[08082014 19:20:29] processor processor.c:74-debug:      filter
[08082014 19:20:29] processor processor.c:74-debug:          streamdumper
[08082014 19:20:29] dionaea dionaea.c:777-debug: old umask -----w--w-
[08082014 19:20:29] dionaea dionaea.c:778-debug: new umask -----w--w-
[08082014 19:20:29] dionaea dionaea.c:793-info: Using 1024 as limit for fds
[08082014 19:20:29] nfq nfq.c:154-debug: nfq_start
[08082014 19:20:29] python module.c:330-warning: start module.c
[08082014 19:20:29] python module.c:338-info: start dionaea.log 0x213d2b0 0x7fcc5d7247a0
[08082014 19:20:29] python module.c:338-info: start dionaea.services 0x27128c0 0x7fcc5d69a098
[08082014 19:20:29] python module.c:338-info: start dionaea.ihandlers 0x26e8b40 0x283b4d0
[08082014 19:20:29] ihandlers dionaea/ihandlers.py:60-warning: START THE IHANDLERS
[08082014 19:20:29] incident incident.c:172-debug: ihandler_new pattern * cb 0x7fcc5e36ca10 ctx 0x28567a0
[08082014 19:20:29] incident incident.c:174-debug: ihandler 0x2482ba0 pattern * cb 0x7fcc5e36ca10 ctx 0x28567a0
[08082014 19:20:29] logsql dionaea/logsql.py:158-info: Getting RPC Services
[08082014 19:20:29] logsql dionaea/logsql.py:178-info: Setting RPC ServiceOps
[08082014 19:20:29] logsql dionaea/logsql.py:197-debug: Trying to update table: dcerpcserviceops
[08082014 19:20:29] logsql dionaea/logsql.py:203-info: ... not required
[08082014 19:20:29] logsql dionaea/logsql.py:221-debug: Trying to update table: emu_services
[08082014 19:20:29] logsql dionaea/logsql.py:226-debug: ... not required
[08082014 19:20:29] logsql dionaea/logsql.py:266-debug: Trying to update table: downloads
[08082014 19:20:29] logsql dionaea/logsql.py:272-debug: ... not required
[08082014 19:20:29] logsql dionaea/logsql.py:429-info: Setting MySQL Command Ops
[08082014 19:20:29] logsql dionaea/logsql.py:540-debug: Updating Table dcerpcs
[08082014 19:20:29] logsql dionaea/logsql.py:551-debug: ... not required
[08082014 19:20:29] dionaea dionaea.c:811-info: Installing signal handlers
[08082014 19:20:29] dionaea dionaea.c:859-debug: looping
[08082014 19:20:29] connection connection.c:4181-debug: connection_connect_resolve_a_cb ctx 0x1f215b0 result 0x2956810 con 0x28cc030
[08082014 19:20:29] connection connection.c:4194-debug:     192.168.127.147
[08082014 19:20:29] connection connection.c:4153-debug: connection_connect_resolve_action con 0x28cc030
[08082014 19:20:29] connection connection.c:4205-debug: connection_connect_resolve_aaaa_cb ctx 0x1f215b0 result (nil) con 0x28cc030
[08082014 19:20:29] connection connection.c:4153-debug: connection_connect_resolve_action con 0x28cc030
[08082014 19:20:29] connection connection.c:774-debug: connection_connect_next_addr con 0x28cc030
[08082014 19:20:29] connection connection.c:779-debug: connecting 192.168.127.147
[08082014 19:20:29] connection connection.c:807-debug: connecting 192.168.127.147:10000
[08082014 19:20:29] connection connection.c:816-debug: tcp
[08082014 19:20:29] connection connection.c:200-debug: bind_local con 0x28cc030
[08082014 19:20:29] connection connection.c:742-debug: connection_set_nonblocking
[08082014 19:20:29] connection connection.c:1984-debug: connection_tcp_connecting_cb con 0x28cc030
[08082014 19:20:29] connection connection.c:2013-debug: connection 192.168.127.148:41796 -> 192.168.127.147:10000
[08082014 19:20:29] connection connection.c:1628-debug: connection_established 0x28cc030
[08082014 19:20:29] python module.c:819-debug: traceable_established_cb con 0x28cc030
[08082014 19:20:29] connection connection.c:4273-debug: connection_protocol_ctx_get con 0x28cc030 data 0x28e1410
[08082014 19:20:29] hpfeeds dionaea/hpfeeds.py:134-debug: hpclient established
[08082014 19:20:29] connection connection.c:2021-debug: connection_tcp_io_in_cb con 0x28cc030
[08082014 19:20:29] connection connection.c:2036-debug: can recv 15 bytes
[08082014 19:20:29] connection connection.c:2041-debug: io_in: throttle can 15 want 15
[08082014 19:20:29] connection connection.c:1848-debug: connection_throttle_update con 0x28cc030 thr 0x28cc440 bytes 14
[08082014 19:20:29] connection connection.c:2085-debug: EAGAIN
[08082014 19:20:29] python module.c:827-debug: traceable_io_in_cb con 0x28cc030 ctx 0x28e1410 data 0x28c5fe0 size 14
[08082014 19:20:29] hpfeeds dionaea/hpfeeds.py:145-debug: hpclient msg opcode 1 data bytearray(b'\x04@hp2\x172\xb7\xd1')
[08082014 19:20:29] hpfeeds dionaea/hpfeeds.py:148-debug: hpclient server name bytearray(b'@hp2') rand bytearray(b'\x172\xb7\xd1')
[08082014 19:20:29] connection connection.c:1219-debug: connection_send con 0x28cc030 data 0x28e4230 size 62
[08082014 19:20:29] connection connection.c:2116-debug: connection_tcp_io_out_cb con 0x28cc030
[08082014 19:20:29] connection connection.c:1848-debug: connection_throttle_update con 0x28cc030 thr 0x28cc480 bytes 62
[08082014 19:20:29] python module.c:835-debug: traceable_io_out_cb con 0x28cc030 ctx 0x28e1410
[08082014 19:20:29] connection connection.c:1745-debug: connection_stats_accounting_limit_exceeded stats 0x28cc470
[08082014 19:20:29] connection connection.c:1745-debug: connection_stats_accounting_limit_exceeded stats 0x28cc430
[08082014 19:20:30] connection connection.c:667-debug: connection_free_cb con 0x2899e10
[08082014 19:20:30] connection connection.c:676-debug: AF 10 0 con->local.domain
[08082014 19:20:30] incident incident.c:365-debug: reporting 0x23202d0
[08082014 19:20:30] incident incident.c:354-debug: incident 0x23202d0 dionaea.connection.free
[08082014 19:20:30] incident incident.c:167-debug:  con: (ptr) 0x2899e10
[08082014 19:20:30] python module.c:778-debug: traceable_ihandler_cb incident 0x23202d0 ctx 0x2856ef0
[08082014 19:20:30] python module.c:778-debug: traceable_ihandler_cb incident 0x23202d0 ctx 0x28567a0
[08082014 19:20:30] logsql dionaea/logsql.py:691-warning: no attackid for :135
[08082014 19:20:30] python module.c:805-debug: traceable_ctx_free_cb ctx 0x27dda50
[08082014 19:20:30] connection connection.c:667-debug: connection_free_cb con 0x289aab0
[08082014 19:20:30] connection connection.c:676-debug: AF 10 0 con->local.domain
[08082014 19:20:30] incident incident.c:365-debug: reporting 0x2422770
[08082014 19:20:30] incident incident.c:354-debug: incident 0x2422770 dionaea.connection.free
[08082014 19:20:30] incident incident.c:167-debug:  con: (ptr) 0x289aab0
[08082014 19:20:30] python module.c:778-debug: traceable_ihandler_cb incident 0x2422770 ctx 0x2856ef0
[08082014 19:20:30] python module.c:778-debug: traceable_ihandler_cb incident 0x2422770 ctx 0x28567a0
[08082014 19:20:30] logsql dionaea/logsql.py:691-warning: no attackid for :5061
[08082014 19:20:30] python module.c:805-debug: traceable_ctx_free_cb ctx 0x27ddbe0
[08082014 19:20:30] connection connection.c:667-debug: connection_free_cb con 0x2895030
[08082014 19:20:30] connection connection.c:676-debug: AF 10 0 con->local.domain
[08082014 19:20:30] incident incident.c:365-debug: reporting 0x2886940
[08082014 19:20:30] incident incident.c:354-debug: incident 0x2886940 dionaea.connection.free
[08082014 19:20:30] incident incident.c:167-debug:  con: (ptr) 0x2895030
[08082014 19:20:30] python module.c:778-debug: traceable_ihandler_cb incident 0x2886940 ctx 0x2856ef0
[08082014 19:20:30] python module.c:778-debug: traceable_ihandler_cb incident 0x2886940 ctx 0x28567a0
[08082014 19:20:30] logsql dionaea/logsql.py:691-warning: no attackid for :21
[08082014 19:20:30] python module.c:805-debug: traceable_ctx_free_cb ctx 0x27dd870
[08082014 19:20:30] connection connection.c:667-debug: connection_free_cb con 0x289d500
[08082014 19:20:30] connection connection.c:676-debug: AF 10 0 con->local.domain
[08082014 19:20:30] incident incident.c:365-debug: reporting 0x27ec3f0
[08082014 19:20:30] incident incident.c:354-debug: incident 0x27ec3f0 dionaea.connection.free
[08082014 19:20:30] incident incident.c:167-debug:  con: (ptr) 0x289d500
[08082014 19:20:30] python module.c:778-debug: traceable_ihandler_cb incident 0x27ec3f0 ctx 0x2856ef0
[08082014 19:20:30] python module.c:778-debug: traceable_ihandler_cb incident 0x27ec3f0 ctx 0x28567a0
[08082014 19:20:30] logsql dionaea/logsql.py:691-warning: no attackid for :5060
[08082014 19:20:30] python module.c:805-debug: traceable_ctx_free_cb ctx 0x27ddcd0
[08082014 19:20:30] connection connection.c:667-debug: connection_free_cb con 0x289e880
[08082014 19:20:30] connection connection.c:676-debug: AF 10 0 con->local.domain
[08082014 19:20:30] incident incident.c:365-debug: reporting 0x277b4f0
[08082014 19:20:30] incident incident.c:354-debug: incident 0x277b4f0 dionaea.connection.free
[08082014 19:20:30] incident incident.c:167-debug:  con: (ptr) 0x289e880
[08082014 19:20:30] python module.c:778-debug: traceable_ihandler_cb incident 0x277b4f0 ctx 0x2856ef0
[08082014 19:20:30] python module.c:778-debug: traceable_ihandler_cb incident 0x277b4f0 ctx 0x28567a0
[08082014 19:20:30] logsql dionaea/logsql.py:691-warning: no attackid for :5060
[08082014 19:20:30] python module.c:805-debug: traceable_ctx_free_cb ctx 0x27ddaf0
[08082014 19:20:30] connection connection.c:667-debug: connection_free_cb con 0x28948a0
[08082014 19:20:30] connection connection.c:676-debug: AF 10 0 con->local.domain
[08082014 19:20:30] incident incident.c:365-debug: reporting 0x212b2c0
[08082014 19:20:30] incident incident.c:354-debug: incident 0x212b2c0 dionaea.connection.free
[08082014 19:20:30] incident incident.c:167-debug:  con: (ptr) 0x28948a0
[08082014 19:20:30] python module.c:778-debug: traceable_ihandler_cb incident 0x212b2c0 ctx 0x2856ef0
[08082014 19:20:30] python module.c:778-debug: traceable_ihandler_cb incident 0x212b2c0 ctx 0x28567a0
[08082014 19:20:30] logsql dionaea/logsql.py:691-warning:
jatrost commented 10 years ago

here is the whole file. https://gist.github.com/jt6211/7a22e10042e0c6ff3fc3

You will want to copy the hpfeeds section from your config as it is blank in mine.

jatrost commented 10 years ago

If you wanted to install a clean version, you should be able to do this:

  1. Delete the sensor from the MHN UI
  2. copy the new deploy_dionaea.sh script after doing git pull

  3. On the dionaea box:

    apt-get purge -y dionaea
rm -rf /usr/lib/dionaea/ /etc/dionaea /var/dionaea/

Then re-run the deployment.

exabrial commented 10 years ago

Dang... after the reinstall with fresh config, still nothing:

jonathan.fisher@dionaea:~$ sudo netstat -luntp | grep dionaea
udp        0      0 0.0.0.0:56153           0.0.0.0:*                           1810/dionaea    
jonathan.fisher@dionaea:~$
jatrost commented 10 years ago

Can you provide your dionaea.conf? And these files: /var/dionaea/log/* AND /var/log/dionaea.*?

I just tried this install from a fresh VM and this is what I got.

root@mhn-honeypot:/var/dionaea/log# netstat -luntp | grep dionaea
tcp6       0      0 :::3306                 :::*                    LISTEN      4377/dionaea    
tcp6       0      0 :::42                   :::*                    LISTEN      4377/dionaea    
tcp6       0      0 :::21                   :::*                    LISTEN      4377/dionaea    
tcp6       0      0 :::1433                 :::*                    LISTEN      4377/dionaea    
tcp6       0      0 :::445                  :::*                    LISTEN      4377/dionaea    
tcp6       0      0 :::5060                 :::*                    LISTEN      4377/dionaea    
tcp6       0      0 :::5061                 :::*                    LISTEN      4377/dionaea    
tcp6       0      0 :::135                  :::*                    LISTEN      4377/dionaea    
udp6       0      0 :::5060                 :::*                                4377/dionaea    
udp6       0      0 :::69                   :::*                                4377/dionaea
exabrial commented 10 years ago

Oh snap.. no ipv4? ipv6 is disabled on this the whole box! We don't use ipv6 on our network at all... it's disabled on everything to shut down a potential threat vector we're not watching.

exabrial commented 10 years ago

figured it out.... add ipv4 support like this in the config file:

        mode = "manual"
        addrs = { eth0 = ["::", "0.0.0.0"] }
exabrial commented 10 years ago

Boom... BTW, why is http disabled by default? I enabled it in my config. Here's my ports!

jonathan.fisher@dionaea:~$ sudo netstat -lp | grep dionaea
tcp        0      0 *:sip                   *:*                     LISTEN      5408/dionaea    
tcp        0      0 *:sip-tls               *:*                     LISTEN      5408/dionaea    
tcp        0      0 *:loc-srv               *:*                     LISTEN      5408/dionaea    
tcp        0      0 *:mysql                 *:*                     LISTEN      5408/dionaea    
tcp        0      0 *:nameserver            *:*                     LISTEN      5408/dionaea    
tcp        0      0 *:http                  *:*                     LISTEN      5408/dionaea    
tcp        0      0 *:ftp                   *:*                     LISTEN      5408/dionaea    
tcp        0      0 *:ms-sql-s              *:*                     LISTEN      5408/dionaea    
tcp        0      0 *:https                 *:*                     LISTEN      5408/dionaea    
tcp        0      0 *:microsoft-ds          *:*                     LISTEN      5408/dionaea    
udp        0      0 *:tftp                  *:*                                 5408/dionaea    
udp        0      0 *:sip                   *:*                                 5408/dionaea    
udp        0      0 *:59595                 *:*                                 5408/dionaea    
jonathan.fisher@dionaea:~$
jatrost commented 10 years ago

We disabled it because we wanted to enable multiple honeypots running on the same box and conpot listens on port 80 as well.

Jason Trost | Senior Analytics Engineer | www.threatstream.com http://www.threatstream.com/ Phone: 386.235.0078 | Twitter: @jason_trost

exabrial commented 10 years ago

Ah I see... I have conpot running on a separate LXC container. Anyway, thanks for helping me out, I'd write a patch for the 0.0.0.0 fix but I don't know where to even change the config at!

exabrial commented 10 years ago

nm figured it out. enjoy ze patch and THANK YOU for your help and putting MHN together!