Skip to content

Instantly share code, notes, and snippets.

@jatrost

jatrost/dionaea.conf

Created August 9, 2014 00:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jatrost/7a22e10042e0c6ff3fc3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jatrost/7a22e10042e0c6ff3fc3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
dionaea.conf
logging = {
default = {
// file not starting with / is taken relative to LOCALESTATEDIR (e.g. /opt/dionaea/var)
file = "/var/dionaea/log/dionaea.log"
levels = "warning,error"
domains = "*"
}
errors = {
// file not starting with / is taken relative to LOCALESTATEDIR (e.g. /opt/dionaea/var)
file = "/var/dionaea/log/dionaea-errors.log"
levels = "warning,error"
domains = "*"
}
}
processors =
{
filter-emu =
{
config = {
allow = [{ protocol = ["smbd","epmapper","nfqmirrord","mssqld"] }]
}
next = {
emu =
{
config = {
emulation = {
limits = {
files = "3"
filesize = "524288" // 512 * 1024
sockets = "3"
sustain = "120"
idle = "30"
listen = "30"
cpu = "120"
steps = "1073741824" // 1024 * 1024 * 1024
}
/**
* api default arguments for development
* disabled by default
* not working yet
*/
api = {
connect = {
host = "127.0.0.1"
port = "4444"
}
}
}
}
}
}
}
filter-streamdumper =
{
config = {
allow = [
{ type = ["accept"] }
{ type = ["connect"] protocol=["ftpctrl"] }
]
deny = [
{ protocol = ["ftpdata", "ftpdatacon","xmppclient"] }
]
}
next = {
streamdumper = {
config = {
path = "bistreams/%Y-%m-%d/"
}
}
}
}
/* filter-sessions =
{
config = {
allow = [ { protocol = ["ftpctrl","remoteshell"] } ]
}
next = {
python = {
incident = "true"
}
}
}
*/
}
downloads =
{
dir = "binaries"
tmp-suffix = ".tmp"
}
bistreams =
{
python =
{
dir = "bistreams"
}
}
submit =
{
defaults = {
urls = ["http://anubis.iseclab.org/nepenthes_action.php",
"http://onlineanalyzer.norman.com/nepenthes_upload.php",
"http://luigi.informatik.uni-mannheim.de/submit.php?action=verify"]
email = "[email protected]"
file_fieldname = "upfile"
MAX_FILE_SIZE = "1500000"
submit = "Submit for analysis"
}
/**
* joebox is special, due to the TOS you can lookup here
* http://www.joebox.org/resources/service%20terms.txt
* therefore untested and disabled by default
*/
/*
joebox = {
urls = ["http://analysis.joebox.org/submit"]
email = "[email protected]"
file_fieldname = "upfile"
MAX_FILE_SIZE = "1500000"
submit = "Submit for analysis"
service = "agree"
xp = "1"
vista = "1"
w7 = "1"
pcap = "1"
}
*/
/*
yoursection =
{
urls = ["http://127.0.0.1/submit"]
email = "yourmail"
user = "yourusername"
pass = "yourpassword"
}
*/
}
listen =
{
/* basically we have 3 modes
- getifaddrs - auto
will get a list of all ips and bind a service to each ip
- manual - your decision
addrs has to be provided, and should look like this
addrs = { eth0 = ["1.1.1.1", "1.1.1.2"], eth1 = ["2.1.1.1", "2.1.1.2"] }
you get the idea ...
for most cases with more than one address
addrs = { eth0 = ["0.0.0.0"] }
will do the trick
if you want to throw in ipv6 support as well ...
addrs = { eth0 = ["::"] }
note: ipv6 does not work with surfids yet,
as ipv6 addresses are mapped to ipv4 and surfids fails to retrieve the sensor id for ::ffff:1.2.3.4
- nl, will require a list of interfaces
fnmatch is possible like
interfaces = ["ppp*","tun*"]
and loading the nl module AFTER the python module in the modules section below
nl will use the kernel netlink interface to figure out which addresses exist
at runtime, and start/stop services dynamically per address per interface
*/
mode = "manual"
addrs = { eth0 = ["::"] }
}
modules = {
curl =
{
protocol = "http"
}
emu = {
detect = "1"
profile = "1"
}
pcap =
{
/**
* libpcap 1.0.0
*
* "Arithmetic expression against transport layer headers, like
* tcp[0], does not work against IPv6 packets. It only looks
* at IPv4 packets."
*
* As a consequence, the default filter can not match
* ipv6 tcp rst packets.
*
* If you want to go for rejected ipv6, remove the tcp matching part of the filter
* The code is capable to checking the tcp-rst flag and seq number itself, but
* matching every packet in userspace is expensive.
* Therefore you'll have to hack the code if you want to track ipv6 rejected connections
*
* Format is IFACE = { addrs = MODE }
* currently mode is ignored
*/
any = {
addrs = "auto"
}
}
nfq =
{
/**
* queue has to be the nfqueue num
* refer to http://dionaea.carnivore.it/#nfq_python
* if you do not specify a queue-num with iptables, 0 is the default
*/
queue = "0"
}
python = {
// default expands to PREFIX/lib/dionaea/python/
// ordering is granted
// useful for development
// simply add your devel directory to the list, avoids a make install for new python code
sys_path = ["default"]
// python imports
imports = [ "log",
"services",
"ihandlers"]
ftp = {
root = "wwwroot"
/* ftp client section
*/
/* ports for active ftp
* string indicating a range
*/
active-ports = "63001-64000"
/* host for active ftp via NAT
* 0.0.0.0 - the initiating connection ip is used for active ftp
* not 0.0.0.0 - gets resolved as hostname and used
*/
active-host = "0.0.0.0"
}
tftp = {
root = "wwwroot"
}
//http = {
// root = "wwwroot"
// max-request-size = "32768" // maximum size in kbytes of the request (32MB)
//}
sip = {
udp = {
port = "5060"
}
tcp = {
port = "5060"
}
tls = {
port = "5061"
}
users = "sipaccounts.sqlite"
rtp = {
enable = "yes"
/* how to dump the rtp stream
bistream = dump as bistream
*/
mode = ["bistream", "pcap"]
pcap = {
path = "rtp/{personality}/%Y-%m-%d/"
filename = "%H:%M:%S_{remote_host}_{remote_port}_in.pcap"
}
}
personalities = {
default = {
domain = "localhost"
name = "softphone"
personality = "generic"
}
/*
next-server = {
domain = "my-domain"
name = "my server"
personality = "generic"
serve = ["10.0.0.1"]
default_sdp = "default"
handle = ["REGISTER", "INVITE", "BYE", "CANCEL", "ACK"]
}
*/
}
actions = {
bank-redirect = {
do = "redirect"
params = {
}
}
play-hello = {
do = "play"
params = {
file = ".../file.ext"
}
}
}
}
surfids = {
sslmode = "require"
host = "surfids.example.com" // change this
port = "5432" // maybe this
username = "surfids" // this
password = "secret" // and this
dbname = "idsserver"
}
virustotal = {
apikey = "........." // grab it from your virustotal account at My account -> Inbox -> Public API
file = "vtcache.sqlite"
}
mwserv = { // ask your mwserv backend provider for needed values
url = "" // the url to send the submission requests to
maintainer = "" // username of the maintainer of this sensor
guid = "" // guid of this sensor, as generated serverside; typically 8 chars
secret = "" // shared secret used for authentication aka password; typically 48 chars
}
mysql = {
databases = {
information_schema = {
path = ":memory:"
}
// example how to extend this
// just provide a databasename and path to the database
// the database can be altered by attackers, so ... better use a copy
// psn = {
// path = "/path/to/cc_info.sqlite"
// }
}
}
submit_http = { // ask your submit_http backend provider for needed values
url = "" // the url to send the submission requests to
email = "" // optional
user = "" // username (optional)
pass = "" // password (optional)
}
hpfeeds = {
hp1 = {
server = ""
port = ""
ident = ""
secret = ""
// dynip_resolve: enable to lookup the sensor ip through a webservice
dynip_resolve = "http://queryip.net/ip/"
}
}
logsql = {
mode = "sqlite" // so far there is only sqlite
sqlite = {
file = "logsql.sqlite"
}
}
logxmpp = {
/**
* this section defines a single xmpp logging target
* you can have multiple
*/
carnivore = {
server = "sensors.carnivore.it"
/**
* as dionaea does not support starttls (xmpp on port 5223),
* we rely on 'legacy ssl' for the xmpp connection (port 5222)
*/
port = "5223"
muc = "dionaea.sensors.carnivore.it"
/**
* if the server exists, this is a valid account
*/
username = "[email protected]"
password = "anonymous"
/**
* setting a resource is possible, but you should not do it
* the default resource is a random string of 8 chars
*/
// resource = "theresource"
config =
{
/**
* this defines a muc channel
*/
anon-events =
{
/**
* incidents matching these events will get relayed to the channel
*/
events = ["^dionaea\x5c.connection\x5c..*",
"^dionaea\x5c.modules\x5c.python\x5c.smb.dcerpc\x5c.*",
"^dionaea\x5c.download\x5c.offer$",
"^dionaea\x5c.download\x5c.complete\x5c.hash$",
"^dionaea\x5c.module\x5c.emu\x5c.profile$",
"^dionaea\x5c.modules\x5c.python\x5c.mysql\x5c.*",
"^dionaea\x5c.modules\x5c.python\x5c.sip\x5c.*",
"^dionaea\x5c.modules\x5c.python\x5c.p0f\x5c.*",
"^dionaea\x5c.modules\x5c.python\x5c.virustotal\x5creport",
]
/**
* anonymous removes the local host information from all connection messages
* so you can report without getting identified
*/
anonymous = "yes"
}
anon-files =
{
events = ["^dionaea\x5c.download\x5c.complete\x5c.unique"]
}
}
}
}
nfq = {
/**
* nfq can intercept incoming tcp connections during the tcp handshake
* giving your honeypot the possibility to provide service on
* ports which are not served by default.
* refer to the documentation (http://dionaea.carnivore.it/#nfq_python)
* BEFORE using this
*/
nfaction = "0" // DROP
throttle = {
window = "30"
limits = {
total = "30"
slot = "30"
}
}
timeouts = {
server = {
listen = "5"
}
client = {
idle = "10"
sustain = "240"
}
}
}
p0f = {
/**
* start p0f with
* sudo p0f -i any -u root -Q /tmp/p0f.sock -q -l
*/
path = "un:///tmp/p0f.sock"
}
fail2ban = {
downloads = "downloads.f2b"
offers = "offers.f2b"
}
ihandlers = {
handlers = ["ftpdownload", "tftpdownload", "emuprofile", "cmdshell", "store", "uniquedownload",
"logsql",
// "virustotal",
// "mwserv",
// "submit_http",
// "logxmpp",
"hpfeeds",
// "nfq",
// "p0f",
// "surfids",
// "fail2ban"
]
}
services = {
serve = ["tftp", "ftp", "mirror", "smb", "epmap", "sip","mssql", "mysql"]
}
}
nl =
{
lookup_ethernet_addr = "no" // set to yes in case you are interested in the mac address of the remote (only works for lan)
}
/* nc is a test module */
/* nc =
{
services = [
{
proto = "redir"
type = "tcp"
host = "::"
port = "4711"
},
{
proto = "redir"
type = "tcp"
host = "::"
port = "12344"
},
{
proto = "sink"
type = "tcp"
host = "::"
port = "12345"
throttle = {
in = "8192"
}
timeout = {
listen = "15"
connect = "15"
}
},
{
proto = "source"
type = "tcp"
host = "::"
port = "12346"
throttle = {
out = "8192"
}
timeout = {
listen = "15"
connect = "15"
}
},
{
proto = "redir"
type = "tcp"
host = "::"
port = "12347"
throttle = {
in = "8192"
out = "8192"
}
timeout = {
listen = "15"
connect = "15"
}
},
{
proto = "redir"
type = "tls"
host = "::"
port = "12444"
timeout = {
listen = "15"
connect = "15"
}
},
{
proto = "sink"
type = "tls"
host = "::"
port = "12445"
throttle = {
in = "8192"
}
timeout = {
listen = "15"
connect = "5"
}
},
{
proto = "source"
type = "tls"
host = "::"
port = "12446"
throttle = {
out = "8192"
}
timeout = {
listen = "15"
connect = "15"
}
},
{
proto = "redir"
type = "tls"
host = "::"
port = "12447"
throttle = {
in = "8192"
out = "8192"
}
timeout = {
listen = "15"
connect = "15"
}
},
{
proto = "source"
type = "udp"
host = "::"
port = "12544"
timeout = {
connect = "15"
}
},
{
proto = "sink"
type = "udp"
host = "::"
port = "12545"
timeout = {
connect = "15"
}
},
{
proto = "redir"
type = "udp"
host = "::"
port = "12546"
timeout = {
connect = "15"
}
}
]
clients = [
{
proto = "source"
type = "tcp"
host = "127.0.0.1"
port = "13344"
timeout = {
connecting = "5"
connect = "15"
reconnect = "5"
}
},
{
proto = "redir"
type = "tcp"
host = "ip6-localhost"
port = "13345"
timeout = {
connecting = "5"
connect = "15"
reconnect = "5"
}
},
{
proto = "redir"
type = "tls"
host = "localhost"
port = "13346"
timeout = {
connecting = "5"
connect = "15"
reconnect = "5"
}
},
{
proto = "source"
type = "tls"
host = "ip6-localhost"
port = "12445"
timeout = {
reconnect = "1"
connect = "1"
}
}
]
}
*/
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment