In my previous post, I discussed installing a Dionaea honeypot to catch malware. If you used MHN (also discussed last time) to deploy your Dionaea instance, you are quite limited by the default interface as to the information that you can display about your honeypot traffic.
There are a number “top 5” lists, for instance. You can also get a view of attacks logged by each sensor. While these are all nice, there’s really no way to drill down into the information that’s displayed.
The other two settings across the top of the page – Map and Attacks – look promising. However, as I noted in the last post, when I installed it through MHN, my Dionaea honeypot wasn’t logging any attacks (as others have also noted) so this category was essentially useless. As for the map, it doesn’t show previously logged data. It will only show new data that comes in while the map is open. Once you close it, and reopen, you start again with a blank map.
Enter DionaeaFR. Here’s the front page (click the image for a full-screen view):
As you can see, the homepage is nicely laid out. The options in the sidebar are also grouped conveniently.
In the Data section, Connections and Downloads will display sortable lists which allow you drill into the data for much more information. One can also use filters in these two lists to further refine what is displayed.
The next section, Graphs, is similar to what MHN shows but you have more categories. Depending on the option chosen, you either get a top-10 bar graph or a line graph of the relevant data.
Lastly, the two items in the Maps section will both show you past data as well as real time information.
All together, I found DionaeaFR to be head and shoulders above the limited information displayed in the MHN interface. So, let’s get to the installation!
Unfortunately, there isn’t a single document that gives you a foolproof installation guide. The good news is that there are two documents that, when used together, will get you almost 100% to the finish line. I ran into a few glitches while following them but I’ll log my bumps in the road (and their solutions) in this post.
The first post is this one by Ion Koniaris. It’s mostly complete but there are a couple of things that he took for granted.
The second post (found here), is very similar. In fact, he uses Ion’s original post as the template. This post includes a few additional points that may be helpful.
The way I did my install was to use them both side by side and create a superset of the installation commands.
In other words, if I found a command in only one of the documents, I still performed that step. One example is where the first post mentions this step while the other omitted it (it’s necessary, by the way):
mkdir /var/run/dionaeafr #for DionaeaFR’s pid file
The second post also has a few additions at the end that may answer some questions you may have.
As I mentioned, I ran into a few additional issues while installing. Here they are along with the fixes.
When I typed the following command (just before starting the actual front-end server:
python manage.py collectstatic
I received the following error: No module named appconf
The fix was:
pip install django-appconf
When I ran the final command to start the server, I received: AttributeError: ‘module’ object has no attribute ‘IPAddressField’
The fix was to edit the file /opt/DionaeaFR/Web/forms/connection.py and change IPAddressField to GenericIPAddressField.
Connections / Download Options Give An Error
When the interface is up and running, clicking the Connections or Downloads options give an error referencing % nospaceless %
The fix is to edit the file /opt/DionaeaFR/DionaeaFR/Templates/table.html and remove references to % nospaceless % and % endnospaceless%
(yep, just delete them but maybe save a copy somewhere first).
If you want to use Virustotal to identify the malware you capture, you first need a Virustotal API key. You just need to sign up with Virustotal to get one. Once you have the API key, go to the folder /opt/dionaea/etc/dionaea/ihandlers-available and edit the file named virustotal.yaml. Paste your API key in the indicated place. Save and exit.
Change directories to /opt/dionaea/etc/dionaea/ihandlers-enabled
Now, you need to create a symbolic link here to the modified virustotal.yaml file like this:
ln -s ../ihandlers-available/virustotal.yaml virustotal.yaml
Your new captured malware should now be identified.
Hopefully, this will help you get your DionaeaFR front-end up and running. Please email me if I can help you at firstname.lastname@example.org.