In the first part of the “Building a Honeypot to Catch Zero-Day Exploits” series, we downloaded and configured the Dionaea honeypot. What makes Dionaea different from other honeypots is its ability to capture exploits. We had installed the honeypot in the previous guide, but had not configured it yet.
In the second part of our guide, we will configure Dionaea to prepare it for capturing exploits. I started this series by setting up Dionaea on an Ubuntu 14.04 desktop system, so we'll continue to use Dionaea on Ubuntu but it can run on many Linux distributions.
Step 1: Open the Dionaea configuration file
The first step is to open the Dionaea configuration file. First navigate to the directory /etc/dionaea.
ubuntu > cd /etc/dionaea
When you make a long list in this directory, you can see the file dionaea.conf. Let's open this file with a text editor. In Ubuntu, we have several options. In this case, I used the leaf pad, but you can use the gedit the Vim or any other text editor will work.
ubuntu > leaf pad dionaea.conf
Step 2: Set up Logs
In its default configuration, Dionaea will generate a bunch of log files in a production environment. In some cases, you will see multiple gigabytes per day of log files. To prevent this, we need to set the logging to only log "error" priorities.
To do this, we need to navigate down to the logging section of the configuration file. There you will see a section that looks like this:
Note the two areas I have circled. Change both from “warning,error” to just “error”.
Step 3: Interface and IP section
Then go to the listen and interface section of the configuration file. We want the interface to be set to “manual” and the IP addresses to be any. This will allow Dionaea to capture on the interface of your choice (eth0) regardless of the IP address assigned to it.
If you want Dionaea to listen to only one IP address, you can put that IP address in the line below, replacing the “::” part.
addrs = {eth0 = “::”}
As you know, “::” is IPv6 abbreviation for any IP address.
Step 4: Modules
Next, we need to tell Dionaea which modules we want it to run.
Leave the default setting here, but note that we have selected “virustotal”. If the options are removed, you can set Dionaea to send any malware it catches to VirusTotal. Let's keep it selected.
Also note that we will be using one of our favorite tools, the p0f, for fingerprinting of the operating system. Finally, we have unchecked “logsql”, allowing Dionaea to create and use a SQLite database. This will improve our ability to manage activity from our sensor by putting the data into a SQLite database.
Step 5: Services
Just below the modules, we have a section that details the services we want to run. Note below that Dionaea by default is configured to run http, https, tftp, ftp, mirror, smb, epmap, sip, mssql and mysql.
I recommend that you disable http and https as they are not likely to fool many attackers and may, in fact, identify it as a honeypot. Leave the rest as they represent vulnerable services that can be attacked.
Step 6: Try Dionaea
Finally, to test our new configuration we need to run Dionaea. We can do this by typing:
ubuntu> dionaea -u nobody -g nogroup -w /opt/dionaea -p /opt/dionaea/run/dionaea.pid
Now that Dionaea is running successfully, we can move on to the next step, capturing and analyzing malware with Dionaea.
