Dionaea can now handle very basic SOAP requests and analyse attacks against TR-069.
In the article 'Use dionaea to capture attacks against TR-069' published a few hours ago I have demonstrated how to use the blackhole service to capture attacks against the TR-069 service. Since then the http service of dionaea has been improved to also handle basic SOAP requests. This allows dionaea to analyse the data submitted, extract the included download commands and report incidents including the URLs to download additional files.
To test the new code you have to use the latest master branch from the git repository and add a new config file. Copy the http.yaml
in the services-enabled
directory and name the new file tr-069.yaml
. After you have copyed the file, just edit the new file and change/add the following parameters to enable a webserver with soap handling on port 7547.
- name: http
config:
...
port: 7547
...
soap_enabled: true
...
At the time of writing it looks like most of the mirrors are down or the hosted maleware has been removed.