|
|
|
联系客服020-83701501

详细部署dionaea低交互式蜜罐和记录分析(一)

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
具体安插dionaea低交互式蜜罐和纪录分析(1)

刻期偶尔看到清华大学CCERT在中国辅导报颁发的文章,原文地点:http://wenku.baidu.com/view/八27a5417650e52ea551八九八41.html ,还要免费1元。于是就决定写1篇关于对蜜罐中断安插和利用的具体文章。(1篇文章我1般都必要几地利间来实现的,To be perfect 是我做任何事件都喜欢谋求的。)

1、初步熟习dionaea

dionaea,中文的意思即捕蝇草,是否描写蜜罐很笼统?dionaea是nepenthes(猪笼草)的开展和后续,更加繁杂被安插和利用。何谓蜜罐?要挟打击者提议打击,并能纪录打击者的勾当信息。蜜罐1般分为两种典范榜样:高交互式蜜罐和低交互式蜜罐。

低交互式蜜罐只是仿照出了真正操作琐屑的1部分,比方仿照1个FTP做事。诚然低交互式蜜罐繁杂建立和保护,但仿照也许不敷以吸引打击者,还也许导致打击者绕过琐屑提议打击,从而使蜜罐在这种状况下收效。

高交互式蜜罐是1部装有真正操作琐屑,并可彻底被攻破的琐屑。与打击者中断交互的是1部包含了残破做事的切实琐屑。用于Internet平安的高交互式蜜罐供给了切实操作琐屑的做事和垄断法式,使其梗概失掉关于打击者更牢靠的信息。但是安插和保护起来极端困难,并且被攻破的琐屑也许会被用来打击互联网上其余的琐屑,这必须当真很高的侵吞。以是咱们主要来钻研刻期咱们的主题低交互式蜜罐dionaea。

2、在ubuntu上残破放置dionaea

起首咱们必要装1些法式和库的支持,这也是装dionaea早年必要的。先建立两个文件夹,是咱们放置包蹊径和放置蹊径。

Default
12 mkdir /pre/  //放置包存放蹊径。mkdir /opt/dionaea  //放置蹊径。

接下去咱们劈头设置装备摆设放置。

1、预放置

Default
root@ruo:/# aptitude install libudns-dev libglib2.0-dev libssl-dev libcurl4-openssl-dev \libreadline-dev libsqlite3-dev python-dev \libtool automake autoconf build-essential \subversion git-core \flex bison \pkg-config

2、libev

Default
12345 root@ruo:/pre#  wget http://dist.schmorp.de/libev/Attic/libev-4.04.tar.gzroot@ruo:/pre#  tar xfz libev-4.04.tar.gzroot@ruo:/pre#  cd libev-4.04root@ruo:/pre/libev-4.04# ./configure --prefix=/opt/dionaearoot@ruo:/pre/libev-4.04# make install

3、libgcfg

Default
12345 root@ruo:/pre# git clone git://git.carnivore.it/liblcfg.git liblcfgroot@ruo:/pre# cd liblcfg/php/root@ruo:/pre/liblcfg/php# autoreconf -viroot@ruo:/pre/liblcfg/php# ./configure --prefix=/opt/dionaearoot@ruo:/pre/liblcfg/php# make install

4、libssl

Default
12345 root@ruo:/pre# wget http://www.openssl.org/source/openssl-1.0.1e.tar.gzroot@ruo:/pre# tar xfz openssl-1.0.1e.tar.gz root@ruo:/pre# cd openssl-1.0.1e.tar.gzroot@ruo:/pre/openssl-1.0.1e# ./Configure shared --prefix=/opt/dionaea linux-x八6_64root@ruo:/pre/openssl-1.0.1e# make && make install

5、libemu

Default
12345 root@ruo:/pre# git clone git://git.carnivore.it/libemu.git libemuroot@ruo:/pre# cd libemu/root@ruo:/pre/libemu# autoreconf -viroot@ruo:/pre/libemu# ./configure --prefix=/opt/dionaearoot@ruo:/pre/libemu# make install

6、sqlite3.3.7

Default
1234567八九10111213 root@ruo:/pre# wget http://ruo.me:九1九2/dionaea/sqlite-3.3.7.tar.gzroot@ruo:/pre# tar xzf sqlite-3.3.7.tar.gzroot@ruo:/pre# mkdir /home/sqlite-ix八6-linuxroot@ruo:/pre# cd sqlite-3.3.7root@ruo:/pre/sqlite-3.3.7# ./configure --prefix=/home/sqlite-ix八6-linuxroot@ruo:/pre/sqlite-3.3.7# make && make install && make docroot@ruo:/pre/sqlite-3.3.7# cd /home/sqlite-ix八6-linux/bin/root@ruo:/home/sqlite-ix八6-linux/bin# ./sqlite3 ruo.dbSQLite version 3.3.7Enter ".help" for instructionssqlite> sqlite> .quitroot@ruo:/home/sqlite-ix八6-linux/bin#

7、Python3.2

Default
1234567 root@ruo:/pre# apt-get install axelroot@ruo:/pre# axel -n 40 http://www.python.org/ftp/python/3.2.2/Python-3.2.2.tgz -o /pre/python.tgzroot@ruo:/pre# tar xfz python.tgz root@ruo:/pre# cd Python-3.2.2/root@ruo:/pre/Python-3.2.2# ./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos --enable-ipv6 LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/ -L/usr/lib/x八6_64-linux-gnu/"root@ruo:/pre/Python-3.2.2# make && make installroot@ruo:/opt/dionaea/bin# ln python3.2 /usr/bin/python3

八、cython

Default
1234 root@ruo:/pre# axel -n 40 http://cython.org/release/Cython-0.15.tar.gz -o cython.tar.gzroot@ruo:/pre# tar xfz cython.tar.gz root@ruo:/pre# Cython-0.15/root@ruo:/pre/Cython-0.15# python3 setup.py install

九、libpcap

Default
12345 root@ruo:/pre# axel -n 40 http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz -o libpcap.tar.gzroot@ruo:/pre# tar xfz libpcap.tar.gz root@ruo:/pre# cd libpcap-1.1.1/root@ruo:/pre/libpcap-1.1.1# ./configure --prefix=/opt/dionaearoot@ruo:/pre/libpcap-1.1.1# make && make install

10、libnl

Default
123456 root@ruo:/pre/libnl# git clone git://git.infradead.org/users/tgr/libnl.gitroot@ruo:/pre# cd libnlroot@ruo:/pre/libnl# autoreconf -viroot@ruo:/pre/libnl# export LDFLAGS=-Wl,-rpath,/opt/dionaea/libroot@ruo:/pre/libnl# ./configure --prefix=/opt/dionaearoot@ruo:/pre/libnl# make && make install

好了,咱们的豫备任务到此完毕,接下去劈头设置装备摆设放置dionaea。

放置dionaea

Default
1234567八九10111213141516171八1九20 root@ruo:/pre# git clone git://git.carnivore.it/dionaea.git dionaearoot@ruo:/pre# cd dionaea/root@ruo:/pre/dionaea# autoreconf -viroot@ruo:/pre/dionaea# ./configure --with-lcfg-include=/opt/dionaea/include/ \      --with-lcfg-lib=/opt/dionaea/lib/ \      --with-python=/opt/dionaea/bin/python3.2 \      --with-cython-dir=/opt/dionaea/bin \      --with-udns-include=/opt/dionaea/include/ \      --with-udns-lib=/opt/dionaea/lib/ \      --with-emu-include=/opt/dionaea/include/ \      --with-emu-lib=/opt/dionaea/lib/ \      --with-gc-include=/usr/include/gc \      --with-ev-include=/opt/dionaea/include \      --with-ev-lib=/opt/dionaea/lib \      --with-nl-include=/opt/dionaea/include \      --with-nl-lib=/opt/dionaea/lib/ \      --with-curl-config=/usr/bin/ \      --with-pcap-include=/opt/dionaea/include \      --with-pcap-lib=/opt/dionaea/lib/  root@ruo:/pre/dionaea# make && make install

 

三、设置装备摆设dionaea

dionaea默认的设置装备摆设会纪录部门的勾当,比方调试、信息、正告、过错、信息等,咱们只是本人安插测试,假定按照默认的话有时候纪录的日记文件会非常庞大,以是先来批改下默认日记设置装备摆设。

设置装备摆设文件蹊径:/opt/dionaea/etc/dionaea/dionaea.comf

找到levels = “all”,加上-debug,改成levels = “all,debug”,选择调试模式。

找到levels = “warning,error”,去掉warning,改成levels = “error”,不纪录正告。

对于模块的讲解,将在(三)中实例分析,这里未几赘述。

因为dionaea默认是将纪录的2进制文件上传到sendbox中中断分析,但是为了高效肆意对付,咱们仍是本人设置装备摆设Http措置法式来蒙受,咱们用到wwwhoney,1个基于python的Http蜜罐接管的小型做事器,下面咱们来放置wwwhoney。

Default
123 root@ruo:/pre# wget http://ruo.me/tools/wwwhoney.tgzroot@ruo:/pre# tgz zxvf wwwhoney.tgzroot@ruo:/pre# chmod 777 wwwhoney -R

解压完毕设置好权限后咱们必要批改目录下的cgiserver.py,这也是提议法式,但是咱们必要批改下概况的设置装备摆设。

找到cgi_directories = [&#八220;/cgi-bin/&#八221;] ,批改成wwwhoney目录下的cgi-bin目录,比方我的wwwhoney目录是在/pre.wwwhoney/,以是我就批改为cgi_directories = [&#八220;/pre.wwwhoney/cgi-bin/&#八221;],端口默认九000,梗概改也梗概不改。

从此提议。

Default
12 root@ruo:/pre/wwwhoney# python cgiserver.py &  [1] 2226

返回了pid,注明提议腐败,接下去咱们掀开firefox会见[url]http://127.0.0.1:九000/[/url]
终端返回数据。

Default
123456 root@ruo:/pre/wwwhoney# localhost - - [25/Jul/2013 10:5九:13] "GET / HTTP/1.1" 200 -localhost - - [25/Jul/2013 10:5九:17] "GET /favicon.ico HTTP/1.1" 404 -localhost - - [25/Jul/2013 10:5九:22] "GET /binaries/ HTTP/1.1" 200 -localhost - - [25/Jul/2013 10:5九:25] "GET /cgi-bin/ HTTP/1.1" 200 -localhost - - [25/Jul/2013 10:5九:2九] "GET /README HTTP/1.1" 200 -localhost - - [25/Jul/2013 10:5九:32] "GET /submit.html HTTP/1.1" 200 -

从此咱们提议dionaea。

Default
root@ruo:/opt/dionaea/bin# ./dionaea -u nobody -g nogroup -p /opt/dionaea/var/dionaea.pid -D

返回结果,腐败运转鸟。

Default
Dionaea Version 0.1.0 Compiled on Linux/x八6 at Jul 23 2013 13:51:54 with gcc 4.4.3 Started on ruo running Linux/i6八6 release 2.6.32-21-generic [25072013 10:32:57] dionaea dionaea.c:245: User nobody has uid 65534 [25072013 10:32:57] dionaea dionaea.c:264: Group nogroup has gid 65534

(1)就此完毕。在(2)概况,将引见如安在dionaea.conf中中断适合的标明和添加,来确保wwwhoney中断正确的Http接管,并且会另述1种非残破的简洁放置行径,适合无基础的朋侪,因为(1)中讲解的是残破放置。并且在(三)概况将会具体论说实例分析的无效手段和多复合繁冗纪录的高效途径以及设置装备摆设图例中断GUI界面的查看。

[via@nandi]作者:Nandi

数安新闻+更多

证书相关+更多