Dionaea not showing attacks

[PersonaN0nGrata]

Hey. I have deployed a MHN server and another server with a couple of honeypots on it. Cowrie, conpot and dionaea. Attacks on the dionaea is not showing up for some reason. Cowrie and conpot is. I have dionaea expose port 80, and can connect to it from an outside network, so i know that its running The mhn server:

This file is in ihandlers-enabled. The ipadress is correct, and the port is the same as the other 2 honeypots are using for the MHN server.

I also tried connecting to the ftp that dionaea exposes, but that also doesnt show up on the MHN server.

[neil-fox]

What cloud tech are you using to host your VM's?

[PersonaN0nGrata]

Running on my own servers, exposed with a 3g network

[neil-fox]

Ah right, I was thinking your issue may be firewall related if you were using something such as azure. The only connections i see for Dionaea on my attack map is for 445, do you have that port open?

[PersonaN0nGrata]

On the Dionaea? Or the MHN server? Everything nats to the honeypot machine. The Dionaea should feed on port 10000 right? That port is open on the mhn server. On the dionaea these are the services available

So if i connect to port 80 i get the dionaea http pot, but nothing shows up on the mhn server

[neil-fox]

You're right Dionaea feeds back to the MHN server on 10000. However no connections to my Dionaea sensor on 80 show up on the attack map, only SMB/445 connections. Try a connection to Dionaea on 445 instead of 80 and see if that shows up on your map.

[PersonaN0nGrata]

How do i test that port 445? port 80 was easy with just the browser ^^

[neil-fox]

If you have a Kali instance try using Metasploit to test your Dionaea sensor:

https://www.adlice.com/catch-malware-honeypot/

Other than that I'm not sure what else to suggest i'm afraid.

[neil-fox]

Also whats the output of an nmap scan of your Dionaea sensor?

[PersonaN0nGrata]

Scanning the sensor machine shows all the open ports it should, and it shows smb1 on 445 etc.

Ill try testing port 445 with metasploit later.

So the issue is with dioneae only using some of the services for HPFeeds?

[neil-fox]

"So the issue is with dioneae only using some of the services for HPFeeds?" - Potentially, I'm in a similar position to yourself where I've only just started to play around with MHN and finding things out for myself through trial and error so I'm no expert on this. All i can say is that i only see 445 connections on my map for the Dionaea sensor so i know it definitely works.

[PersonaN0nGrata]

nmap scan shows this. I dont really like that it says dionaea on port 443... Seems a bit stupid I tried using metasploit to attack port 445, but i cant seem to get a connection through to it. The cowrie on the same machine works fine however.

Tested port 80 and that works aswell.