Hello readers and honeypot enthusiasts. As I was writing a couple of articles on basic malware analysis, I noticed today that a new visualization tool was released for Dionaea malware honeypot! In fact I had in mind to develop something along the lines of Kippo-Graph for Dioanea as well, so I am very happy to have stumble upon it (mostly by accident).
The tool is called DionaeaFR and I’ve found it really helpful in the analysis phase of a honeypot’s activity. It provides a general overview of the malicious connections but it can also zoom in on individual attacks. The fact that’s an aesthetically pleasing utility is also a big plus on my book. The only downside I’ve found is that it couldn’t process a rather large database I had (around 500mb, which btw is normal for Dionaea). The webserver it deploys was being killed after a while, but this could be due to quite low VPS specs.
DionaeaFR is written in Python, uses the Django framework and a number of other libraries, mostly client-side JS. It is maintained by Ruben Espadas. Let me guide you through its installation procedure. It is presumed that you already have Dionaea installed, using its installation guide.
1) Install pip (Python package manager) and python-netaddr package:
apt-get install python-pip python-netaddr
2) Continue with the prerequisites using pip for automated installation:
pip install Django pip install pygeoip pip install django-pagination pip install django-tables2 pip install django-compressor pip install django-htmlmin
3) Get and install django-tables2-simplefilter manually:
cd /opt/ wget https://github.com/benjiec/django-tables2-simplefilter/archive/master.zip -O django-tables2-simplefilter.zip unzip django-tables2-simplefilter.zip mv django-tables2-simplefilter-master/ django-tables2-simplefilter/ cd django-tables2-simplefilter/ python setup.py install
4) Download and install PySubnetTree:
cd /opt/ git clone https://github.com/bro/pysubnettree.git cd pysubnettree/ python setup.py install
5) Compile and install Node.js from sources:
cd /opt/ wget http://nodejs.org/dist/v0.8.16/node-v0.8.16.tar.gz tar xzvf node-v0.8.16.tar.gz cd node-v0.8.16 ./configure make make install
6) Install LESS and promise using npm (Node.js package manager):
npm install -g less npm install -g promise
7) Download DionaeaFR itself:
cd /opt/ wget https://github.com/RootingPuntoEs/DionaeaFR/archive/master.zip -O DionaeaFR.zip unzip DionaeaFR.zip mv DionaeaFR-master/ DionaeaFR
8) Get Maxmind’s GeoIP and GeoLite databases for DionaeaFR:
cd /opt/ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz gunzip GeoLiteCity.dat.gz gunzip GeoIP.dat.gz mv GeoIP.dat DionaeaFR/DionaeaFR/static mv GeoLiteCity.dat DionaeaFR/DionaeaFR/static
9) Copy and edit the sample settings file:
cp /opt/DionaeaFR/DionaeaFR/settings.py.dist /opt/DionaeaFR/DionaeaFR/settings.py nano /opt/DionaeaFR/DionaeaFR/settings.py
There you’ll want to change line 18 that points to Dionaea’s SQLite db.
10) We are ready to start the webserver:
mkdir /var/run/dionaeafr #for DionaeaFR's pid file cd /opt/DionaeaFR/ python manage.py collectstatic #type yes when asked python manage.py runserver 0.0.0.0:8000
The interface is now accessible through: http://SERVER-REMOTE-IP:8000
Let’s take a closer look to a small dataset created after four hours on an low-end VPS…