This is a contribution by Tan Kean Siong, follow him on Twitter @gento_ .

The open source honeypot Dionaea supported SMB since long but lacked support for the recent WannaCry ransomware SMB vulnerability and the most recent Samba RCE vulnerability CVE 2017-7494 dubbed “SambaCry” wormable attacks. With the recent changes, both attack vectors are supported and respective samples caught in the wild.

Dionaea is a low interaction, server side honeypot which emulates a vulnerable system or device. Its ultimate goal is to gain a copy of the malware. It supports various protocols and network stacks e.g. SMB, HTTP, FTP, TFTP, MSSQL, MySQL, SIP (VOIP). Recently it also got support to emulate an IoT device, SmartTV or XBOX with the UPnP and MQTT protocols enabled. Dionaea was created back in the years of the Conficker worm, and yet its solid SMB network stack proved to be useful in 2017 for the WannaCry worm hunt across the Internet.

Hello,

recently I made fork of dionaea and DionaeaFR. Changes that I did are related with remote logging to relational database. Dionaea honeypot can now log remotely to postgresql database. In DionaeaFR frontend I had to do some changes, so it could support reading data from postgresql.

Links are github.com/GovCERT-CZ/dionaea and github.com/GovCERT-CZ/DionaeaFR.

I think that some one could use that so I write this post.  

Have a nice day,

Stanislav Bárta

GovCERT.CZ (member of Czech Chapter)

This summer, I will be dealing with the malware analysis distribution from a visualization perspective at a timeline and geographic basis. To collect data related with malwares, I installed the Dionaea, which is a successor of Nepenthes. The documentation of the Dionaea is plain and easy to follow. I chosed Debian Squeeze to install the honeypot on it. Installing the base system from netinstall CD and following the documentation was enough till i got an error message during the compiling process of Dionaea. “common” from the irc channel of Nepenthess was helpful about the solution of the problem. The problem was defined at http://sourceforge.net/mailarchive/message.php?msg_id=27441025. It was because of the wrong Cython version usage with a makefile error.