Dionaea Getting Less Attack

[seantree]

Hi,

First of all Thank You for Amazing Project. . I just need your some guidance, I have installed your honeypot on AWS 3 Months Ago and I am receiving the lots of attacks.

In last 90 Days I received: 7136926 Cowrie Events 142478 Dioanea Events 75 Elastic Port Events 25655 Glastopf Events 273911 Honeytrap Events

My Question is after getting 142478 Dioanea Events Attacks I Only Received 45 Malware Samples Total in last 90 Days, So just need your guidance what to do to get more malware samples equal to Dioanea Events.

Thanks & Regards Seantree

Contribution

Thank you for your decision to contribute to T-Pot.

Issues

Please feel free to post your problems, ideas and issues here. We will try to answer ASAP, but to speed things up we encourage you to ...

• [ ] Use the search function first
• [ ] Check the FAQ
• [ ] Provide basic support information with regard to your issue

Thank you :smiley:

-

FAQ

Where can I find the honeypot logs?

The honeypot logs are located in /data/. You have to login via ssh and run sudo cd /data/. Do not change any permissions here or T-Pot will fail to work.

-

Baisc support information

• What T-Pot version are you currtently using?
• Are you running on a Intel NUC or a VM?
• How long has your installation been running?
• Did you install any upgrades or packages?
• Did you modify any scripts?
• Have you turned persistence on/off?
• How much RAM available (login via ssh and run htop)?
• How much stress are the CPUs under (login via ssh and run htop)?
• How much swap space is being used (login via ssh and run htop)?
• How much free disk space is available (login via ssh and run sudo df -h)?
• What is the current container status (login via ssh and run sudo start.sh)?

[t3chn0m4g3]

@seantree Thanks for your feedback. The number of events does not correlate 1:1 to malware samples. A single malware file within 90 days might be far more interesting than having the same one over and over again. The overall numbers for 90 days seem to be fairly low, though. My sensors usually have around 18-20 million events per 90 days on completely unfiltered lines. Maybe your provider is filtering some traffic?

[seantree]

Hi @t3chn0m4g3 ,

Sorry I checked the log that output of 45 days not of 90 days and I am using AWS and opened the following ports:

Ports	Protocol	Source
8080	tcp	0.0.0.0/0, ::/0	✔
1025	tcp	0.0.0.0/0, ::/0	✔
143	tcp	0.0.0.0/0, ::/0	✔
1883	tcp	0.0.0.0/0, ::/0	✔
11211	tcp	0.0.0.0/0, ::/0	✔
3389	tcp	0.0.0.0/0, ::/0	✔
445	tcp	0.0.0.0/0, ::/0	✔
138	tcp	0.0.0.0/0, ::/0	✔
50100	tcp	0.0.0.0/0, ::/0	✔
5060	tcp	0.0.0.0/0, ::/0	✔
110	tcp	0.0.0.0/0, ::/0	✔
All	All	0.0.0.0/0, ::/0	✔
21	tcp	0.0.0.0/0, ::/0	✔
25	tcp	0.0.0.0/0, ::/0	✔
23	tcp	0.0.0.0/0, ::/0	✔
4444	tcp	0.0.0.0/0, ::/0	✔
2745	tcp	0.0.0.0/0, ::/0	✔
139	tcp	0.0.0.0/0, ::/0	✔
135	tcp	0.0.0.0/0, ::/0	✔
4899	tcp	0.0.0.0/0, ::/0	✔
53	tcp	0.0.0.0/0, ::/0	✔
1434	tcp	0.0.0.0/0, ::/0	✔
330	tcp	0.0.0.0/0, ::/0	✔
9200	tcp	0.0.0.0/0, ::/0	✔
1433	tcp	0.0.0.0/0, ::/0	✔
80	tcp	0.0.0.0/0, ::/0	✔
1723	tcp	0.0.0.0/0, ::/0	✔
8443	tcp	0.0.0.0/0, ::/0	✔
5900	tcp	0.0.0.0/0, ::/0	✔
42	tcp	0.0.0.0/0, ::/0	✔
443	tcp	0.0.0.0/0, ::/0	✔
21000	tcp	0.0.0.0/0, ::/0	✔
137	tcp	0.0.0.0/0, ::/0	✔
0-65535	tcp	0.0.0.0/0, ::/0	✔
22	tcp	0.0.0.0/0, ::/0	✔
5060	udp	0.0.0.0/0, ::/0	✔
5061	tcp	0.0.0.0/0, ::/0	✔
69	udp	0.0.0.0/0, ::/0	✔
3306	tcp	0.0.0.0/0, ::/0	✔
1900	tcp	0.0.0.0/0, ::/0	✔
8081	tcp	0.0.0.0/0, ::/0	✔

. Let me know if something needs to be correct. . Thanks & Regards Seantree

[t3chn0m4g3]

@seantree

The ruleset you are showing is not interfering with the iptables rules of T-Pot, correct?

All | All | 0.0.0.0/0, ::/0 | ✔

Anyhow, I am not entirely sure, but the cited rule should override the other rules.

Besides that does not guarantee that AWS might filter malicious traffic on its borders, unfortunately I am not aware if that is the case or not. Have you tried running it on a typical DSL line in comparison?

[seantree]

@t3chn0m4g3 No I am not using it on DSL Line and I Don't think so that any rule is interfering with the iptables rules because it's showing correct if you have another way to check this scenario let me know I will double cross check it.

Thanks & Regards Seantree

[TPOT412]

@seantree My honeypot is also giving me less samples. I got only 29 Samples in a 20 days period although there are a number of events. Did you get it fixed what can be done to increase its efficiency?

[seantree]

hi @TPOT412 did you setup on the amazon or on VM or physical machine?

[TPOT412]

Its a physical machine. And a public IP not behind any NAT.

[seantree]

Interesting I hope @t3chn0m4g3 will help in this.

[TPOT412]

Have your sample capturing improved or not? What is you average sample collection in 30 days?

[TPOT412]

@t3chn0m4g3 can you help in this regard?

[seantree]

It depends monthly avg count is sometimes 80 and sometimes 70

[TPOT412]

Good. I just wanted to let you know that you should monitor/Backup Samples daily. As in my case some samples were present one day and the other day New samples were there and old ones were deleted.

[seantree]

you can change in the config file, I have commented the rm command in config for binaries.

[t3chn0m4g3]

If malware samples are collected still I do not see any kind of problem. For about a week I can see that some known attacker IPs are not as active as they used to be. Known attacker pool dropped from about 500.000 IPs to roughly 270.000 IPs (https://github.com/dtag-dev-sec/listbot/commit/d08319dc7520d192602a50ce602840755c954f76).

[puriayush29]

Hi,I hope everybody is doing great and can anybody help me on this i have deployed tpot on VM machine and i am getting attacks only on ciscoasa and not getting any events on dionaea,cowrie and any other honeypot and from ciscoasa also not getting any fruitful result how to improve efficiency or how i can gain more attacks on tpot? Thanks and Regards