Dionaea and DionaeaFR
Dionaea is a low-interaction honeypot. It is one of the honeypots that can be deployed through the Modern Honey Network. Next to the MHN dashboard I also wanted some specific data on the Dionaea honeypot. That is where DionaeaFR kicks in.
The installation is described in detail on the github page and on http://bruteforce.gr/visualizing-dionaeas-results-with-dionaeafr.html.
I had to add some extra packages and settings on a Ubuntu 12.04.4 LTS system. Below is the full installation path.
Install Dionaea
I assume you have Dionaea installed, either according to the Dionaea installation guide or via the deploy script of MHN.
Install DionaeaFR
apt-get install python-pip python-netaddr
apt-get install build-essential
apt-get install python-dev
apt-get install git
pip install Django pip install pygeoip pip install django-pagination pip install django-tables2 pip install django-compressor pip install django-htmlmin
pip install django-filter
cd /opt/ wget https://github.com/benjiec/django-tables2-simplefilter/archive/master.zip -O django-tables2-simplefilter.zip unzip django-tables2-simplefilter.zip mv django-tables2-simplefilter-master/ django-tables2-simplefilter/ cd django-tables2-simplefilter/ python setup.py install
cd /opt/ git clone https://github.com/bro/pysubnettree.git cd pysubnettree/ python setup.py install
cd /opt/ wget http://nodejs.org/dist/v0.8.16/node-v0.8.16.tar.gz tar xzvf node-v0.8.16.tar.gz cd node-v0.8.16 ./configure make make install
npm install -g less
cd /opt/ wget https://github.com/RootingPuntoEs/DionaeaFR/archive/master.zip -O DionaeaFR.zip unzip DionaeaFR.zip mv DionaeaFR-master/ DionaeaFR
cd /opt/ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz gunzip GeoLiteCity.dat.gz gunzip GeoIP.dat.gz mv GeoIP.dat DionaeaFR/DionaeaFR/static mv GeoLiteCity.dat DionaeaFR/DionaeaFR/static
My Dionaea setup is done via MHN and I had to change this in /opt/DionaeaFR/DionaeaFR/settings.py
.. 'NAME': '/var/dionaea/logsql.sqlite', # Or path to database file if using sqlite3. .. STATIC_ROOT = '/opt/DionaeaFR/DionaeaFR/static/static2/'
Start the DionaeaFR webserver
You can start the DionaeaFR webserver with
cd /opt/DionaeaFR/ python manage.py collectstatic #type yes when asked python manage.py runserver 0.0.0.0:8000
Logging
The default logging of Dionaea (configured via MHN) has limited logging to a textfile. Even if logging to sqlite is enabled having a text log file is useful to grep for patterns (IPs, …). The log file location is set via file and the details of events is set with levels.
logging = {
default = {
file = "/var/dionaea/log/dionaea.log"
levels = "warning,error,message,info"
domains = "*"
}
...
}
This log setting will generate large log files so you’ll have to rotate them regularly. Put this file in /etc/logrotate.d/dionaea. Notice that the postrotate script calls supervisorctl because that’s how Dionaea is monitored when installed via MHN.
/var/dionaea/log/*.log {
notifempty
missingok
rotate 28
daily
delaycompress
compress
create 660 root root
dateext
postrotate
supervisorctl restart dionaea
endscript
}
Update 20141118
Additionally you’ll need these packages for a fully functional dionaeaFR.
sudo apt-get install python-pip python-netaddr sudo apt-get install unzip sqlite
If you get an error concerning mimetype when starting dionaeaFR then you’ll have to edit the file graph.py. This is the full error
Internal Server Error: /graphs/timeline/
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py", line 111, in get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/opt/DionaeaFR/Web/views/graph.py", line 275, in timeline
mimetype="application/json"
File "/usr/local/lib/python2.7/dist-packages/django/http/response.py", line 318, in __init__
super(HttpResponse, self).__init__(*args, **kwargs)
TypeError: __init__() got an unexpected keyword argument 'mimetype'
Open the file Web/views/graph.py and replace every occurence of mimetype (mimetype=”application/json”) with content_type. In VI:
:%s/mimetype/content_type/g
20141130 – Python module promise missing
It is possible that you get an error message for the python module promise.
Error: Cannot find module 'promise'
at Function.Module._resolveFilename (module.js:338:15)
...
You were probably already alerted of this issue when you installed npm install -g less
npm install -g less
npm http GET https://registry.npmjs.org/less
npm http 304 https://registry.npmjs.org/less
npm WARN engine less@2.1.1: wanted: {"node":">=0.10.0"} (current: {"node":"v0.8.16","npm":"1.1.69"})
...
npm WARN optional dep failed, continuing mkdirp@^0.5.0
npm WARN optional dep failed, continuing mime@^1.2.11
...
npm WARN optional dep failed, continuing request@^2.48.0
npm WARN optional dep failed, continuing graceful-fs@^3.0.4
npm WARN optional dep failed, continuing source-map@^0.1.x
npm WARN optional dep failed, continuing promise@^6.0.1
/usr/local/bin/lessc -> /usr/local/lib/node_modules/less/bin/lessc
less@2.1.1 /usr/local/lib/node_modules/less
To solve this you’ll have to upgrade node.js. Download the latest node.js source from http://nodejs.org/download/, extract, compile and install.
wget http://nodejs.org/dist/v0.10.33/node-v0.10.33.tar.gz ./configure make make install
and then reinstall less.
npm install -g less
Hi there! Cool blog post 🙂 I’m happy that my guide helped.
I have a question, how do you find MHN so far? It’s the next thing on my list.
Keep up the good work,
Ion.
Hi Ion! Thanks! MHN looks promising but it’s missing some features to drill down on events and export events easily. I find the deploy scripts the most useful part, the other parts still need some work.
Very nice post Koen!
I might have to use this for one of my projects 🙂 Thnx!
Hi Ion! My “DionaeaFR Catches bugs”, The bottom of the site show “%d-%m-%Y
“,not is date.
How should I deal with
Should be solved with the changes in this pull request:
https://github.com/rubenespadas/DionaeaFR/pull/17/files
Hi, i have a question where is located the file dionaeafr.pid ?
Hi,i got a error when i install pysubnettree,it shows that:
c++: error: unrecognized command line option ‘-fstack-protector-strong’
error: command ‘c++’ failed with exit status 1
Are that ever happened in your installlation
I am getting errors about db file not found
File “/usr/local/lib/python2.7/dist-packages/django/db/backends/__init__.py”, line 122, in connect
self.connection = self.get_new_connection(conn_params)
File “/usr/local/lib/python2.7/dist-packages/django/db/backends/sqlite3/base.py”, line 374, in get_new_connection
conn = Database.connect(**conn_params)
django.db.utils.OperationalError: unable to open database file
hwo do you gen the db file or where can i find it
Search for logsql.sqlite; put that in the NAME variable in settings.py.
Hi , is there any way to use dionaeaFr to visualization Amun’s log files ?
I have just loaded this onto a new machine, but now all it show it shows is Connections and IP’s, it is not showing any of the malware analyzied or known, no downloads or urls. is this a problem with dionaea or dionaeafr
Hi,
Thank You very much for this details post.
However is it possible to run DionaeaFR to catch more than 1 Dionaea Honeypot sqlite logs?
If lets say I’m running 2 or 3 seperated Dionaeas honeypots.
Hi ..
Thank you very much for this post
I get some error, I can’t gunzip file geolitecity and geolitecountry. this error is “not in gzip format”. can you help me?