详细部署dionaea低交互式蜜罐和记录分析(一)

具体安插dionaea低交互式蜜罐和纪录分析(１)

刻期偶尔看到清华大学CCERT在中国辅导报颁发的文章，原文地点：http://wenku.baidu.com/view/八27a54１7650e52ea55１八九八4１.html ，还要免费１元。于是就决定写１篇关于对蜜罐中断安插和利用的具体文章。（１篇文章我１般都必要几地利间来实现的，To be perfect 是我做任何事件都喜欢谋求的。）

１、初步熟习dionaea

dionaea，中文的意思即捕蝇草，是否描写蜜罐很笼统？dionaea是nepenthes（猪笼草）的开展和后续，更加繁杂被安插和利用。何谓蜜罐？要挟打击者提议打击，并能纪录打击者的勾当信息。蜜罐１般分为两种典范榜样：高交互式蜜罐和低交互式蜜罐。

低交互式蜜罐只是仿照出了真正操作琐屑的１部分，比方仿照１个FTP做事。诚然低交互式蜜罐繁杂建立和保护，但仿照也许不敷以吸引打击者，还也许导致打击者绕过琐屑提议打击，从而使蜜罐在这种状况下收效。

高交互式蜜罐是１部装有真正操作琐屑，并可彻底被攻破的琐屑。与打击者中断交互的是１部包含了残破做事的切实琐屑。用于Internet平安的高交互式蜜罐供给了切实操作琐屑的做事和垄断法式，使其梗概失掉关于打击者更牢靠的信息。但是安插和保护起来极端困难，并且被攻破的琐屑也许会被用来打击互联网上其余的琐屑，这必须当真很高的侵吞。以是咱们主要来钻研刻期咱们的主题低交互式蜜罐dionaea。

２、在ubuntu上残破放置dionaea

起首咱们必要装１些法式和库的支持，这也是装dionaea早年必要的。先建立两个文件夹，是咱们放置包蹊径和放置蹊径。

Default mkdir /pre/ //放置包存放蹊径。 mkdir /opt/dionaea //放置蹊径。

１2	mkdir /pre/  //放置包存放蹊径。mkdir /opt/dionaea  //放置蹊径。

接下去咱们劈头设置装备摆设放置。

１、预放置

Default root@ruo:/# aptitude install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev \libreadline-dev libsqlite3-dev python-dev \libtool automake autoconf build-essential \subversion git-core \flex bison \pkg-config

１	root@ruo:/# aptitude install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev \libreadline-dev libsqlite3-dev python-dev \libtool automake autoconf build-essential \subversion git-core \flex bison \pkg-config

2、libev

Default root@ruo:/pre# wget http://dist.schmorp.de/libev/Attic/libev-4.04.tar.gz root@ruo:/pre# tar xfz libev-4.04.tar.gz root@ruo:/pre# cd libev-4.04 root@ruo:/pre/libev-4.04# ./configure --prefix=/opt/dionaea root@ruo:/pre/libev-4.04# make install

１2345

root@ruo:/pre#  wget http://dist.schmorp.de/libev/Attic/libev-4.04.tar.gzroot@ruo:/pre#  tar xfz libev-4.04.tar.gzroot@ruo:/pre#  cd libev-4.04root@ruo:/pre/libev-4.04# ./configure --prefix=/opt/dionaearoot@ruo:/pre/libev-4.04# make install

3、libgcfg

Default root@ruo:/pre# git clone git://git.carnivore.it/liblcfg.git liblcfg root@ruo:/pre# cd liblcfg/php/ root@ruo:/pre/liblcfg/php# autoreconf -vi root@ruo:/pre/liblcfg/php# ./configure --prefix=/opt/dionaea root@ruo:/pre/liblcfg/php# make install

１2345

root@ruo:/pre# git clone git://git.carnivore.it/liblcfg.git liblcfgroot@ruo:/pre# cd liblcfg/php/root@ruo:/pre/liblcfg/php# autoreconf -viroot@ruo:/pre/liblcfg/php# ./configure --prefix=/opt/dionaearoot@ruo:/pre/liblcfg/php# make install

4、libssl

Default root@ruo:/pre# wget http://www.openssl.org/source/openssl-１.0.１e.tar.gz root@ruo:/pre# tar xfz openssl-１.0.１e.tar.gz root@ruo:/pre# cd openssl-１.0.１e.tar.gz root@ruo:/pre/openssl-１.0.１e# ./Configure shared --prefix=/opt/dionaea linux-x八6_64 root@ruo:/pre/openssl-１.0.１e# make && make install

１2345

root@ruo:/pre# wget http://www.openssl.org/source/openssl-１.0.１e.tar.gzroot@ruo:/pre# tar xfz openssl-１.0.１e.tar.gz root@ruo:/pre# cd openssl-１.0.１e.tar.gzroot@ruo:/pre/openssl-１.0.１e# ./Configure shared --prefix=/opt/dionaea linux-x八6_64root@ruo:/pre/openssl-１.0.１e# make && make install

5、libemu

Default root@ruo:/pre# git clone git://git.carnivore.it/libemu.git libemu root@ruo:/pre# cd libemu/ root@ruo:/pre/libemu# autoreconf -vi root@ruo:/pre/libemu# ./configure --prefix=/opt/dionaea root@ruo:/pre/libemu# make install

１2345

root@ruo:/pre# git clone git://git.carnivore.it/libemu.git libemuroot@ruo:/pre# cd libemu/root@ruo:/pre/libemu# autoreconf -viroot@ruo:/pre/libemu# ./configure --prefix=/opt/dionaearoot@ruo:/pre/libemu# make install

6、sqlite3.3.7

Default root@ruo:/pre# wget http://ruo.me:九１九2/dionaea/sqlite-3.3.7.tar.gz root@ruo:/pre# tar xzf sqlite-3.3.7.tar.gz root@ruo:/pre# mkdir /home/sqlite-ix八6-linux root@ruo:/pre# cd sqlite-3.3.7 root@ruo:/pre/sqlite-3.3.7# ./configure --prefix=/home/sqlite-ix八6-linux root@ruo:/pre/sqlite-3.3.7# make && make install && make doc root@ruo:/pre/sqlite-3.3.7# cd /home/sqlite-ix八6-linux/bin/ root@ruo:/home/sqlite-ix八6-linux/bin# ./sqlite3 ruo.db SQLite version 3.3.7 Enter ".help" for instructions sqlite> sqlite> .quit root@ruo:/home/sqlite-ix八6-linux/bin#

１234567八九１0１1１2１3

root@ruo:/pre# wget http://ruo.me:九１九2/dionaea/sqlite-3.3.7.tar.gzroot@ruo:/pre# tar xzf sqlite-3.3.7.tar.gzroot@ruo:/pre# mkdir /home/sqlite-ix八6-linuxroot@ruo:/pre# cd sqlite-3.3.7root@ruo:/pre/sqlite-3.3.7# ./configure --prefix=/home/sqlite-ix八6-linuxroot@ruo:/pre/sqlite-3.3.7# make && make install && make docroot@ruo:/pre/sqlite-3.3.7# cd /home/sqlite-ix八6-linux/bin/root@ruo:/home/sqlite-ix八6-linux/bin# ./sqlite3 ruo.dbSQLite version 3.3.7Enter ".help" for instructionssqlite> sqlite> .quitroot@ruo:/home/sqlite-ix八6-linux/bin#

7、Python3.2

Default root@ruo:/pre# apt-get install axel root@ruo:/pre# axel -n 40 http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz -o /pre/python.tgz root@ruo:/pre# tar xfz python.tgz root@ruo:/pre# cd Python-3.2.2/ root@ruo:/pre/Python-3.2.2# ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x八6_64-linux-gnu/" root@ruo:/pre/Python-3.2.2# make && make install root@ruo:/opt/dionaea/bin# ln python3.2 /usr/bin/python3

１234567

root@ruo:/pre# apt-get install axelroot@ruo:/pre# axel -n 40 http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz -o /pre/python.tgzroot@ruo:/pre# tar xfz python.tgz root@ruo:/pre# cd Python-3.2.2/root@ruo:/pre/Python-3.2.2# ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x八6_64-linux-gnu/"root@ruo:/pre/Python-3.2.2# make && make installroot@ruo:/opt/dionaea/bin# ln python3.2 /usr/bin/python3

八、cython

Default root@ruo:/pre# axel -n 40 http://cython.org/release/Cython-0.１5.tar.gz -o cython.tar.gz root@ruo:/pre# tar xfz cython.tar.gz root@ruo:/pre# Cython-0.１5/ root@ruo:/pre/Cython-0.１5# python3 setup.py install

１234	root@ruo:/pre# axel -n 40 http://cython.org/release/Cython-0.１5.tar.gz -o cython.tar.gzroot@ruo:/pre# tar xfz cython.tar.gz root@ruo:/pre# Cython-0.１5/root@ruo:/pre/Cython-0.１5# python3 setup.py install

九、libpcap

Default root@ruo:/pre# axel -n 40 http://www.tcpdump.org/release/libpcap-１.１.１.tar.gz -o libpcap.tar.gz root@ruo:/pre# tar xfz libpcap.tar.gz root@ruo:/pre# cd libpcap-１.１.１/ root@ruo:/pre/libpcap-１.１.１# ./configure --prefix=/opt/dionaea root@ruo:/pre/libpcap-１.１.１# make && make install

１2345

root@ruo:/pre# axel -n 40 http://www.tcpdump.org/release/libpcap-１.１.１.tar.gz -o libpcap.tar.gzroot@ruo:/pre# tar xfz libpcap.tar.gz root@ruo:/pre# cd libpcap-１.１.１/root@ruo:/pre/libpcap-１.１.１# ./configure --prefix=/opt/dionaearoot@ruo:/pre/libpcap-１.１.１# make && make install

１0、libnl

Default root@ruo:/pre/libnl# git clone git://git.infradead.org/users/tgr/libnl.git root@ruo:/pre# cd libnl root@ruo:/pre/libnl# autoreconf -vi root@ruo:/pre/libnl# export LDFLAGS=-Wl,-rpath,/opt/dionaea/lib root@ruo:/pre/libnl# ./configure --prefix=/opt/dionaea root@ruo:/pre/libnl# make && make install

１23456

root@ruo:/pre/libnl# git clone git://git.infradead.org/users/tgr/libnl.gitroot@ruo:/pre# cd libnlroot@ruo:/pre/libnl# autoreconf -viroot@ruo:/pre/libnl# export LDFLAGS=-Wl,-rpath,/opt/dionaea/libroot@ruo:/pre/libnl# ./configure --prefix=/opt/dionaearoot@ruo:/pre/libnl# make && make install

好了，咱们的豫备任务到此完毕，接下去劈头设置装备摆设放置dionaea。

放置dionaea

Default root@ruo:/pre# git clone git://git.carnivore.it/dionaea.git dionaea root@ruo:/pre# cd dionaea/ root@ruo:/pre/dionaea# autoreconf -vi root@ruo:/pre/dionaea# ./configure --with-lcfg-include=/opt/dionaea/include/ \ --with-lcfg-lib=/opt/dionaea/lib/ \ --with-python=/opt/dionaea/bin/python3.2 \ --with-cython-dir=/opt/dionaea/bin \ --with-udns-include=/opt/dionaea/include/ \ --with-udns-lib=/opt/dionaea/lib/ \ --with-emu-include=/opt/dionaea/include/ \ --with-emu-lib=/opt/dionaea/lib/ \ --with-gc-include=/usr/include/gc \ --with-ev-include=/opt/dionaea/include \ --with-ev-lib=/opt/dionaea/lib \ --with-nl-include=/opt/dionaea/include \ --with-nl-lib=/opt/dionaea/lib/ \ --with-curl-config=/usr/bin/ \ --with-pcap-include=/opt/dionaea/include \ --with-pcap-lib=/opt/dionaea/lib/ root@ruo:/pre/dionaea# make && make install

１234567八九１0１1１2１3１4１5１6１7１八１九20

root@ruo:/pre# git clone git://git.carnivore.it/dionaea.git dionaearoot@ruo:/pre# cd dionaea/root@ruo:/pre/dionaea# autoreconf -viroot@ruo:/pre/dionaea# ./configure --with-lcfg-include=/opt/dionaea/include/ \      --with-lcfg-lib=/opt/dionaea/lib/ \      --with-python=/opt/dionaea/bin/python3.2 \      --with-cython-dir=/opt/dionaea/bin \      --with-udns-include=/opt/dionaea/include/ \      --with-udns-lib=/opt/dionaea/lib/ \      --with-emu-include=/opt/dionaea/include/ \      --with-emu-lib=/opt/dionaea/lib/ \      --with-gc-include=/usr/include/gc \      --with-ev-include=/opt/dionaea/include \      --with-ev-lib=/opt/dionaea/lib \      --with-nl-include=/opt/dionaea/include \      --with-nl-lib=/opt/dionaea/lib/ \      --with-curl-config=/usr/bin/ \      --with-pcap-include=/opt/dionaea/include \      --with-pcap-lib=/opt/dionaea/lib/  root@ruo:/pre/dionaea# make && make install

 

三、设置装备摆设dionaea

dionaea默认的设置装备摆设会纪录部门的勾当，比方调试、信息、正告、过错、信息等，咱们只是本人安插测试，假定按照默认的话有时候纪录的日记文件会非常庞大，以是先来批改下默认日记设置装备摆设。

设置装备摆设文件蹊径：/opt/dionaea/etc/dionaea/dionaea.comf

找到levels = “all”，加上-debug，改成levels = “all,debug”，选择调试模式。

找到levels = “warning,error”，去掉warning，改成levels = “error”，不纪录正告。

对于模块的讲解，将在（三）中实例分析，这里未几赘述。

因为dionaea默认是将纪录的２进制文件上传到sendbox中中断分析，但是为了高效肆意对付，咱们仍是本人设置装备摆设Http措置法式来蒙受，咱们用到wwwhoney，１个基于python的Http蜜罐接管的小型做事器，下面咱们来放置wwwhoney。

Default root@ruo:/pre# wget http://ruo.me/tools/wwwhoney.tgz root@ruo:/pre# tgz zxvf wwwhoney.tgz root@ruo:/pre# chmod 777 wwwhoney -R

１23	root@ruo:/pre# wget http://ruo.me/tools/wwwhoney.tgzroot@ruo:/pre# tgz zxvf wwwhoney.tgzroot@ruo:/pre# chmod 777 wwwhoney -R

解压完毕设置好权限后咱们必要批改目录下的cgiserver.py，这也是提议法式，但是咱们必要批改下概况的设置装备摆设。

找到cgi_directories = [&#八220;/cgi-bin/&#八22１;] ，批改成wwwhoney目录下的cgi-bin目录，比方我的wwwhoney目录是在/pre.wwwhoney/，以是我就批改为cgi_directories = [&#八220;/pre.wwwhoney/cgi-bin/&#八22１;]，端口默认九000，梗概改也梗概不改。

从此提议。

Default root@ruo:/pre/wwwhoney# python cgiserver.py & [１] 2226

１2	root@ruo:/pre/wwwhoney# python cgiserver.py &  [１] 2226

返回了pid，注明提议腐败，接下去咱们掀开firefox会见[url]http://１27.0.0.１:九000/[/url]
终端返回数据。

Default root@ruo:/pre/wwwhoney# localhost - - [25/Jul/20１3 １0:5九:１3] "GET / HTTP/１.１" 200 - localhost - - [25/Jul/20１3 １0:5九:１7] "GET /favicon.ico HTTP/１.１" 404 - localhost - - [25/Jul/20１3 １0:5九:22] "GET /binaries/ HTTP/１.１" 200 - localhost - - [25/Jul/20１3 １0:5九:25] "GET /cgi-bin/ HTTP/１.１" 200 - localhost - - [25/Jul/20１3 １0:5九:2九] "GET /README HTTP/１.１" 200 - localhost - - [25/Jul/20１3 １0:5九:32] "GET /submit.html HTTP/１.１" 200 -

１23456

root@ruo:/pre/wwwhoney# localhost - - [25/Jul/20１3 １0:5九:１3] "GET / HTTP/１.１" 200 -localhost - - [25/Jul/20１3 １0:5九:１7] "GET /favicon.ico HTTP/１.１" 404 -localhost - - [25/Jul/20１3 １0:5九:22] "GET /binaries/ HTTP/１.１" 200 -localhost - - [25/Jul/20１3 １0:5九:25] "GET /cgi-bin/ HTTP/１.１" 200 -localhost - - [25/Jul/20１3 １0:5九:2九] "GET /README HTTP/１.１" 200 -localhost - - [25/Jul/20１3 １0:5九:32] "GET /submit.html HTTP/１.１" 200 -

从此咱们提议dionaea。

Default root@ruo:/opt/dionaea/bin# ./dionaea -u nobody -g nogroup -p /opt/dionaea/var/dionaea.pid -D

１	root@ruo:/opt/dionaea/bin# ./dionaea -u nobody -g nogroup -p /opt/dionaea/var/dionaea.pid -D

返回结果，腐败运转鸟。

Default Dionaea Version 0.１.0 Compiled on Linux/x八6 at Jul 23 20１3 １3:5１:54 with gcc 4.4.3 Started on ruo running Linux/i6八6 release 2.6.32-2１-generic [250720１3 １0:32:57] dionaea dionaea.c:245: User nobody has uid 65534 [250720１3 １0:32:57] dionaea dionaea.c:264: Group nogroup has gid 65534

１	Dionaea Version 0.１.0 Compiled on Linux/x八6 at Jul 23 20１3 １3:5１:54 with gcc 4.4.3 Started on ruo running Linux/i6八6 release 2.6.32-2１-generic [250720１3 １0:32:57] dionaea dionaea.c:245: User nobody has uid 65534 [250720１3 １0:32:57] dionaea dionaea.c:264: Group nogroup has gid 65534

（１）就此完毕。在（２）概况，将引见如安在dionaea.conf中中断适合的标明和添加，来确保wwwhoney中断正确的Http接管，并且会另述１种非残破的简洁放置行径，适合无基础的朋侪，因为（１）中讲解的是残破放置。并且在（三）概况将会具体论说实例分析的无效手段和多复合繁冗纪录的高效途径以及设置装备摆设图例中断GUI界面的查看。

[via@nandi]作者：Nandi