Dionaea is a low interaction honeypot. It's the nepenthes successor and it's made to capture exploits and malware. At the moment nightly builds are available for Ubuntu 10.04 and 11.04. You can use the Personal Package Archive(PPA) to install and update the packages.
At first add the PPA to your source.list
$ sudo apt-get install python-software-properties
$ sudo apt-add-repository ppa:honeynet/nightly
Update the package index and install dionaea.
$ sudo apt-get update
$ sudo apt-get install dionaea
Now it's time to create the configuration. Go into the /etc/dionaea directory and create your own copy of the original configuration file.
$ sudo cp dionaea.conf.dist my.conf
Before you edit the configuration by hand change some paths.
$ sudo sed -i 's/var\/dionaea\///g' my.conf
$ sudo sed -i 's/log\//\/var\/dionaea\/log\//g' my.conf
You can find a lot of configuration options in the my.conf file. Most of them are well documented. But you should have a closer look at the "submit" section. If you don't want dionaea to send the captured malware to an external server for further analysis comment it out.
Create all the required directories and change the owner to "nobody" and the group to "nogroup"
$ sudo mkdir -p /var/dionaea/bistreams
$ sudo mkdir -p /var/dionaea/wwwroot
$ sudo mkdir -p /var/dionaea/binaries
$ sudo mkdir -p /var/dionaea/log
$ sudo chown -R nobody:nogroup /var/dionaea/
Now it's time to start the honeypot for the first time.
$ sudo -k dionaea -c /etc/dionaea/my.conf -u nobody -g nogroup -w /var/dionaea -p /var/run/dionaea.pid -l all,-debug -L '*'
The tool p0f is a passive finger printer. If you want to use it with dionaea you should uncomment the "p0f" ihandler in the "ihandlers" section
Install the p0f tool ...
$ sudo apt-get install p0f
... and start it as a daemon process.
$ sudo -k su -c 'p0f -i any -u root -Q /tmp/p0f.sock -q -l -t -o /var/log/p0f.log -d && chown root:nogroup /tmp/p0f.sock && chmod g+w /tmp/p0f.sock'
After that you have to restart dionaea and it should now collect more information about the system that attacks the honeypot.
Links
- Dionaea (english)
- Honeypot PPA (english)