Deploy dionaea low interactive Honeypot and Record Analysis in detail (1)

Today, I accidentally saw an article published by CCERT at Tsinghua University in China Education News. Original article address: [url] http://wenku.baidu.com/view/827a5417650e52ea55189841.html [/Url]. The fee is USD 1 ...., So I decided to write a detailed article about deploying and using the honeypot. (I usually need a few days To complete an article. To be perfect is something I like To do .) ========================================================== ===============1. First understanding dionaea, is it true that the honeypot is very good? Dionaea is the development and follow-up of nepenthes, which is easier to deploy and use. What is a honeypot? The attacker is tempted to initiate an attack and can record the activity information of the attacker. Honeypot is generally divided into two types: High-interactive Honeypot and Low-interactive honeypot. The low-interactive honeypot only simulates a part of the real operating system, for example, simulating an FTP service. Although the low-interactive honeypot is easy to establish and maintain, the simulation may not be enough to attract attackers, but may also cause attackers to bypass the system to initiate attacks, thus invalidates the honeypot in this case. A high-interactive honeypot is a system with a real operating system and can be fully cracked. Interacting with attackers is a real system that contains the complete service. The highly interactive honeypot for network security provides real-world operating system services and applications so that it can obtain more reliable information about attackers. However, it is very difficult to deploy and maintain the system, and the attacked system may be used to attack other systems on the Internet, which must bear high risks. So we will mainly study our low-interactive honeypot dionaea. 2. Complete installation of dionaea on ubuntu first we need to install some programs and library support, which is also necessary before installation of dionaea. Create two folders: the installation package path and installation path. Mkdir/pre // path of the installation package. Mkdir/opt/dionaea // installation path. Next we will start to configure and install. 1. Pre-install root @ ruo: /# aptitude install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev \ libreadline-dev libsqlite3-dev python-dev \ libtool automake autoconf build-essential \ subversion git-core \ flex bison \ pkg-config2, libev

  root@ruo:/pre#  wget http://dist.schmorp.de/libev/Attic/libev-4.04.tar.gz  root@ruo:/pre#  tar xfz libev-4.04.tar.gz  root@ruo:/pre#  cd libev-4.04  root@ruo:/pre/libev-4.04# ./configure --prefix=/opt/dionaea  root@ruo:/pre/libev-4.04# make install

 

3. libgcfg

root@ruo:/pre# git clone git://git.carnivore.it/liblcfg.git liblcfg  root@ruo:/pre# cd liblcfg/php/  root@ruo:/pre/liblcfg/php# autoreconf -vi  root@ruo:/pre/liblcfg/php# ./configure --prefix=/opt/dionaea  root@ruo:/pre/liblcfg/php# make install

 

4. libssl

root@ruo:/pre# wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz  root@ruo:/pre# tar xfz openssl-1.0.1e.tar.gz   root@ruo:/pre# cd openssl-1.0.1e.tar.gz  root@ruo:/pre/openssl-1.0.1e# ./Configure shared --prefix=/opt/dionaea linux-x86_64  root@ruo:/pre/openssl-1.0.1e# make && make install  

 

5. libemu

root@ruo:/pre# git clone git://git.carnivore.it/libemu.git libemu  root@ruo:/pre# cd libemu/  root@ruo:/pre/libemu# autoreconf -vi  root@ruo:/pre/libemu# ./configure --prefix=/opt/dionaea  root@ruo:/pre/libemu# make install

 

6. sqlite3.3.7

root@ruo:/pre# wget http://ruo.me:9192/dionaea/sqlite-3.3.7.tar.gz  root@ruo:/pre# tar xzf sqlite-3.3.7.tar.gz  root@ruo:/pre# mkdir /home/sqlite-ix86-linux  root@ruo:/pre# cd sqlite-3.3.7  root@ruo:/pre/sqlite-3.3.7# ./configure --prefix=/home/sqlite-ix86-linux  root@ruo:/pre/sqlite-3.3.7# make && make install && make doc  root@ruo:/pre/sqlite-3.3.7# cd /home/sqlite-ix86-linux/bin/  root@ruo:/home/sqlite-ix86-linux/bin# ./sqlite3 ruo.db  SQLite version 3.3.7  Enter ".help" for instructions  sqlite>   sqlite> .quit  root@ruo:/home/sqlite-ix86-linux/bin#

7. Python3.2

root@ruo:/pre# apt-get install axel  root@ruo:/pre# axel -n 40 http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz -o /pre/python.tgz  root@ruo:/pre# tar xfz python.tgz   root@ruo:/pre# cd Python-3.2.2/  root@ruo:/pre/Python-3.2.2# ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x86_64-linux-gnu/"  root@ruo:/pre/Python-3.2.2# make && make install  root@ruo:/opt/dionaea/bin# ln python3.2 /usr/bin/python3

 

8. cython root @ ruo:/pre # axel-n 40 http://cython.org/release/Cython-0.15.tar.gz-o cython.tar.gz root @ ruo:/pre # tar xfz cython.tar.gz root @ ruo: /pre # Cython-0.15/root @ ruo:/pre/Cython-0.15 # python3 setup. py install 9, libpcap root @ ruo:/pre # axel-n 40 http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz-o libpcap.tar.gz root @ ruo:/pre # tar xfz libpcap.tar.gz root @ ruo: /pre # cd libpcap-1.1.1/root @ ruo:/pre/libpcap-1.1.1 #. /configure -- prefix =/opt/dionaea root @ ruo:/pre/libpcap-1.1.1 # make & make install 10, libnl

root@ruo:/pre/libnl# git clone git://git.infradead.org/users/tgr/libnl.git  root@ruo:/pre# cd libnl  root@ruo:/pre/libnl# autoreconf -vi  root@ruo:/pre/libnl# export LDFLAGS=-Wl,-rpath,/opt/dionaea/lib  root@ruo:/pre/libnl# ./configure --prefix=/opt/dionaea  root@ruo:/pre/libnl# make && make install

 

Now, we have finished our preparations. Next we will start to configure and install dionaea. Install dionaea

root@ruo:/pre# git clone git://git.carnivore.it/dionaea.git dionaea  root@ruo:/pre# cd dionaea/  root@ruo:/pre/dionaea# autoreconf -vi  root@ruo:/pre/dionaea# ./configure --with-lcfg-include=/opt/dionaea/include/ \      --with-lcfg-lib=/opt/dionaea/lib/ \      --with-python=/opt/dionaea/bin/python3.2 \      --with-cython-dir=/opt/dionaea/bin \      --with-udns-include=/opt/dionaea/include/ \      --with-udns-lib=/opt/dionaea/lib/ \      --with-emu-include=/opt/dionaea/include/ \      --with-emu-lib=/opt/dionaea/lib/ \      --with-gc-include=/usr/include/gc \      --with-ev-include=/opt/dionaea/include \      --with-ev-lib=/opt/dionaea/lib \      --with-nl-include=/opt/dionaea/include \      --with-nl-lib=/opt/dionaea/lib/ \      --with-curl-config=/usr/bin/ \      --with-pcap-include=/opt/dionaea/include \      --with-pcap-lib=/opt/dionaea/lib/  root@ruo:/pre/dionaea# make && make install

 

3. When dionaea is configured, the default dionaea configuration records all activities, such as debugging, messages, warnings, errors, and information. We only deploy and test it by ourselves, if the default log file is used, the log files are sometimes very large. Therefore, modify the default log configuration first. Configuration File Path:/opt/dionaea/etc/dionaea. comf find levels = "all", add-debug, change levels = "all, debug", and select the debugging mode. Find levels = "warning, error", remove the warning, and change it to levels = "error". No warning is recorded. The module will be explained in (3). I will not go into detail here. Dionaea uploads the recorded binary file to sendbox by default for analysis. However, for efficiency and convenience, we configure the Http handler to accept it. We use wwwhoney, A small server that receives Http honeypot Based on python. Next we will install wwwhoney. Root @ ruo:/pre # wget http://ruo.me/tools/wwwhoney.tgz Root @ ruo:/pre # tgz zxvf wwwhoney. tgz root @ ruo:/pre # chmod 777 wwwhoney-R. py, which is also the Startup Program, but we need to modify the configuration. Find cgi_directories = ["/cgi-bin/"] and change it to the cgi-bin directory under the wwwhoney directory. For example, my wwwhoney directory is in the/pre. wwwhoney/, so I changed it to cgi_directories = ["/pre. wwwhoney/cgi-bin/"]. The default port is 9000. It can be changed or not changed. Then start. Root @ ruo:/pre/wwwhoney # python cgiserver. py & [1] 2226 returns the pid, indicating that the startup is successful. Next we open firefox to access [url] http://127.0.0.1:9000/ [/Url] the terminal returns data. Root @ ruo: /pre/wwwhoney # localhost--[25/Jul/2013 10:59:13] "GET/HTTP/1.1" 200-localhost---[25/Jul/2013 10:59:17] "GET/favicon. ico HTTP/1.1 "404-localhost---[25/Jul/2013 10:59:22]" GET/binaries/HTTP/1.1 "200-localhost---[25/Jul/2013 10:59:25] "GET/cgi-bin/HTTP/1.1" 200-localhost---[25/Jul/2013 10:59:29] "GET/readme http/1.1" 200-localhost---[25/ jul/2013 10:59:32] "GET/subm It.html HTTP/1.1 "200-then we start dionaea. Root @ ruo:/opt/dionaea/bin #. /dionaea-u nobody-g nogroup-p/opt/dionaea/var/dionaea. pid-D returns the result and runs the bird successfully.

Dionaea Version 0.1.0   Compiled on Linux/x86 at Jul 23 2013 13:51:54 with gcc 4.4.3   Started on ruo running Linux/i686 release 2.6.32-21-generic  [25072013 10:32:57] dionaea dionaea.c:245: User nobody has uid 65534  [25072013 10:32:57] dionaea dionaea.c:264: Group nogroup has gid 65534

 

(1) This is the end. In (2), we will introduce how to use dionaea. make appropriate comments and additions in conf to ensure that wwwhoney receives Http messages correctly. In addition, it will describe an incomplete and concise installation method, which is suitable for users without any foundation, because (1) describes the complete installation. In addition, the article (3) describes in detail the effective methods of instance analysis and efficient methods of multi-composite Redundant records, as well as configuration legends for GUI display.