DionaeaFR – A Window Into Your Honeypot

In my previous post, I discussed installing a Dionaea honeypot to catch malware. If you used MHN (also discussed last time) to deploy your Dionaea instance, you are quite limited by the default interface as to the information that you can display about your honeypot traffic.

MHN_Stats

There are a number “top 5” lists, for instance. You can also get a view of attacks logged by each sensor. While these are all nice, there’s really no way to drill down into the information that’s displayed.

The other two settings across the top of the page – Map and Attacks – look promising. However, as I noted in the last post, when I installed it through MHN, my Dionaea honeypot wasn’t logging any attacks (as others have also noted) so this category was essentially useless. As for the map, it doesn’t show previously logged data. It will only show new data that comes in while the map is open. Once you close it, and reopen, you start again with a blank map.

Enter DionaeaFR. Here’s the front page (click the image for a full-screen view):

DionaeaFR_4

As you can see, the homepage is nicely laid out. The options in the sidebar are also grouped conveniently.

DionaeaFR_Sidebar

In the Data section, Connections and Downloads will display sortable lists which allow you drill into the data for much more information. One can also use filters in these two lists to further refine what is displayed.

The next section, Graphs, is similar to what MHN shows but you have more categories. Depending on the option chosen, you either get a top-10 bar graph or a line graph of the relevant data.

Lastly, the two items in the Maps section will both show you past data as well as real time information.

All together, I found DionaeaFR to be head and shoulders above the limited information displayed in the MHN interface. So, let’s get to the installation!

Unfortunately, there isn’t a single document that gives you a foolproof installation guide. The good news is that there are two documents that, when used together, will get you almost 100% to the finish line. I ran into a few glitches while following them but I’ll log my bumps in the road (and their solutions) in this post.

The first post is this one by Ion Koniaris. It’s mostly complete but there are a couple of things that he took for granted.

The second post (found here), is very similar. In fact, he uses Ion’s original post as the template. This post includes a few additional points that may be helpful.

The way I did my install was to use them both side by side and create a superset of the installation commands.

In other words, if I found a command in only one of the documents, I still performed that step. One example is where the first post mentions this step while the other omitted it (it’s necessary, by the way):
mkdir /var/run/dionaeafr        #for DionaeaFR’s pid file

The second post also has a few additions at the end that may answer some questions you may have.

As I mentioned, I ran into a few additional issues while installing. Here they are along with the fixes.

Collectstatic
When I typed the following command (just before starting the actual front-end server:
python manage.py collectstatic

I received the following error: No module named appconf

The fix was:
pip install django-appconf

Runserver Error
When I ran the final command to start the server, I received: AttributeError: ‘module’ object has no attribute ‘IPAddressField’

The fix was to edit the file /opt/DionaeaFR/Web/forms/connection.py and change IPAddressField to GenericIPAddressField.

Connections / Download Options Give An Error
When the interface is up and running, clicking the Connections or Downloads options give an error referencing % nospaceless %

The fix is to edit the file /opt/DionaeaFR/DionaeaFR/Templates/table.html and remove references to % nospaceless % and % endnospaceless%

(yep, just delete them but maybe save a copy somewhere first).

Virustotal API
If you want to use Virustotal to identify the malware you capture, you first need a Virustotal API key. You just need to sign up with Virustotal to get one. Once you have the API key, go to the folder /opt/dionaea/etc/dionaea/ihandlers-available and edit the file named virustotal.yaml. Paste your API key in the indicated place. Save and exit.

Change directories to /opt/dionaea/etc/dionaea/ihandlers-enabled

Now, you need to create a symbolic link here to the modified virustotal.yaml file like this:

ln -s ../ihandlers-available/virustotal.yaml virustotal.yaml

Your new captured malware should now be identified.

Hopefully, this will help you get your DionaeaFR front-end up and running. Please email me if I can help you at executemalware@gmail.com.

 

6 thoughts on “DionaeaFR – A Window Into Your Honeypot

  1. mauronz

    Hi! nice writeup, very helpful for a beginner malware analyst (like myself 😀 ) just a quick note…DioneaFR does not support the current version of Django (1.10) so you need to use an older one, like 1.8

    Reply
    1. executemalware@gmail.com Post author

      Thanks! Yes, you’re absolutely correct. I’ve recently had to be sure to use Django-1.8. Basically, from the original instructions, I’ve also had to run the following:

      pip install django==1.8
      pip install django-filter
      pip install -U six

      This was helpful for a while but on even more recent installs, I still have trouble with the Connections and Downloads links. I guess that’s what happens when the software is no longer maintained but the underlying software packages are moving forward. 🙂

      I’m currently working on setting up a local ELK stack to do my visualizations. I’m almost finished so I’ll have a new blog article soon.

      Reply
  2. manish singh

    pronlem1: Hi!! on isntalling DionaeaFR, all things go right but when i try to open the connections and download on browser it shows error: data must be QuerySet-like (have count() and order_by()) or support list(data) — DownloadFilter has neither

    Exception Location: /usr/local/lib/python2.7/dist-packages/django_tables2-1.4.2-py2.7.egg/django_tables2/tables.py in from_data, line 68
    Your help would be very appreciated!!!
    problem 2:
    when trying ti set up virustotal api then, there is no /opt/dionaea/etc/dionaea/ihandlers-available folder or file.

    Reply
    1. executemalware@gmail.com Post author

      If you look at the end of the DionaeaFR blog post, I address some of the oddities that I encountered. There’s a section that’s called “Connections/Download Options Give An Error”. Did you get rid of the %nospaceless% and %endnospaceless% tags as mentioned?

      As for the VirusTotal API key, I’m not sure why you don’t have that folder. That folder usually contains the dionaea.cfg file as well as the ihandlers and services folders (2 each).

      One of the problems with running both DionaeaFR and Kippo-Graph (for a Kippo or Cowrie honeypot) is that neither of them really seems to be in active development anymore. As the dependency packages are upgraded, they can sometimes break the functionality of these visualization tools. I hope to have a new blog very soon on how I’m currently trying to get around those issues with honeypot visualizations. Stay tuned!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *