Home

Build A Honeypot

Build and install dionaea

We're now recommending the use of dionaea as a server side honeypot. It is a successor to nepenthes which offers many new features and advantages, and is relatively easy to install. For information about dionaea, including installation instructions, please visit the dionaea project page here: dionaea

Build and install nepenthes

The following instructions will help you build and configure a low interaction honeypot based on nepenthes. The version of nepenthes in subversion is really the best one to use, so we'll have to build from source.

First, we do some ground work to set up our build environment. I have compiled and run nepenthes on Ubuntu 6.06 LTS and Debian 3.1 with few issues. The actual build instructions are the same, regardless of the distro. However, the dependencies would be different. This would also be a good time to create a user and group named nepenthes.

On my Debian server, I installed the following packages before getting started:

flex - 2.5.31-31sarge1
bison - 1.875d-1
libtool - 1.5.6-6
automake - 1.9.5 (automake1.9)
autoconf - 2.59a-3
libadns1 - 1.0-8.2
libadns1-dev - 1.0-8.2
libcurl3 - 7.13.2-2sarge5
libcurl3-dev - 7.13.2-2sarge5
libmagic1 - 4.12-1
libmagic-dev - 4.12-1
libpcre3 - 4.5-1.2sarge1
libpcre3-dev - 4.5-1.2sarge1
subversion - 1.1.4-2

Create a build directory and check out nepenthes:

mkdir ~/nepenthes
cd ~/nepenthes
svn co https://svn.mwcollect.org/nepenthes/trunk

To make things easier in the future, we make a copy of what we just checked out to do the build:

cp -a trunk build

The fun begins, let's build things. If you have bits of libpcap installed, configure will try and add the pcap honeytrap module. I've added configure lines to specifically disable the honeytrap modules. If you want to try and get them working, feel free. The actual build will take a while.

sudo mkdir /opt/nepenthes
chown nepenthes:nepenthes /opt/nepenthes

autoreconf -v -i --force
./configure --prefix=/opt/nepenthes --disable-ipq --disable-pcap
make && sudo make install
sudo chown -R nepenthes:nepenthes /opt/nepenthes

Enabling support for submission to Norman is optional, but recommended:

 "submitnorman.so", "submit-norman.conf",         ""

edit /opt/nepenthes/etc/nepenthes/submit-norman.conf to enable Norman submission. Again, this is optional, but recommended:

submit-norman
{
       // this is the adress where norman sandbox reports will be sent
       email   "you@example.net";
};

At this point, the sensor is configured and ready to run. Start it up, and have it drop its privs and run as nepentes:

sudo /opt/nepenthes/bin/nepenthes -u nepenthes -g nepenthes -w /opt/nepenthes

Now, watch the logs. Try a portscan from a host on a different network just to see if the ports are open and listening.

Periodically, you should check /opt/nepenthes/var/binaries/ for malware binaries. Also, consider applying to join the mwcollect Alliance and submit your samples there. If accepted, there is a module for nepenthes to automatically submit binaries. The Alliance will provide configuration instructions.

<< Submit a Botnet | Get Involved | Hall of Fame >>

Page last modified on December 31, 2005, at 04:32 AM

Big View ? Attach:Site/PageHeader/softflow.gif Δ Home Edit History Recent Changes
HomePage Shadowserver Mission Terms of Service Standards and Guidelines Organizations Blog New Calendar Future Goals Jobs and Contributions Press Security Organizations News Articles Blogs and Forums Misc Presentations Chronological Operations Status Knowledge Base Technology in Use Botnets Botnet Detection Honeypots eFraud Malware Whitepapers Definitions Links Get Involved Get Reports on your Network Blacklists and Blocking TOR Nodes and Reporting Mailing List Submit a Botnet Build a Honeypot Hall of Fame Services Info Binary Whitelist Test IP/ASN/Geo Mapping MD5/SHA1 AV Results Statistics ASN Bots Bot Counts Drone Maps Drone Historical Conficker Botnets Botnet Charts Botnet Maps Botnet Maps Historical DDoS DDoS Charts DDoS Maps DDoS Historical Geo Locations IRC Ports Malware Sandbox Charts Sandbox Graphs Packer Statistics Scans Scan Charts Scan Maps Scan Maps Historical URLs Viruses Sharing Virus Daily Stats Virus Weekly Stats Virus Monthly Stats Virus 60-Day Stats Virus 90-Day Stats Virus 180-Day Stats Virus Yearly Stats Virus Two Year Stats Virus Three Year Stats Combined Results Combined Performance Improvement Between Initial and Retests Contact Us Site Statistics edit SideBar	Build A Honeypot Build and install dionaea We're now recommending the use of dionaea as a server side honeypot. It is a successor to nepenthes which offers many new features and advantages, and is relatively easy to install. For information about dionaea, including installation instructions, please visit the dionaea project page here: dionaea Build and install nepenthes The following instructions will help you build and configure a low interaction honeypot based on nepenthes. The version of nepenthes in subversion is really the best one to use, so we'll have to build from source. First, we do some ground work to set up our build environment. I have compiled and run nepenthes on Ubuntu 6.06 LTS and Debian 3.1 with few issues. The actual build instructions are the same, regardless of the distro. However, the dependencies would be different. This would also be a good time to create a user and group named `nepenthes`. On my Debian server, I installed the following packages before getting started: flex - 2.5.31-31sarge1 bison - 1.875d-1 libtool - 1.5.6-6 automake - 1.9.5 (automake1.9) autoconf - 2.59a-3 libadns1 - 1.0-8.2 libadns1-dev - 1.0-8.2 libcurl3 - 7.13.2-2sarge5 libcurl3-dev - 7.13.2-2sarge5 libmagic1 - 4.12-1 libmagic-dev - 4.12-1 libpcre3 - 4.5-1.2sarge1 libpcre3-dev - 4.5-1.2sarge1 subversion - 1.1.4-2 Create a build directory and check out nepenthes: mkdir ~/nepenthes cd ~/nepenthes svn co https://svn.mwcollect.org/nepenthes/trunk To make things easier in the future, we make a copy of what we just checked out to do the build: `cp -a trunk build` The fun begins, let's build things. If you have bits of libpcap installed, configure will try and add the pcap honeytrap module. I've added configure lines to specifically disable the honeytrap modules. If you want to try and get them working, feel free. The actual build will take a while. sudo mkdir /opt/nepenthes chown nepenthes:nepenthes /opt/nepenthes autoreconf -v -i --force ./configure --prefix=/opt/nepenthes --disable-ipq --disable-pcap make && sudo make install sudo chown -R nepenthes:nepenthes /opt/nepenthes Enabling support for submission to Norman is optional, but recommended: "submitnorman.so", "submit-norman.conf", "" edit /opt/nepenthes/etc/nepenthes/submit-norman.conf to enable Norman submission. Again, this is optional, but recommended: submit-norman { // this is the adress where norman sandbox reports will be sent email "you@example.net"; }; At this point, the sensor is configured and ready to run. Start it up, and have it drop its privs and run as `nepentes`: sudo /opt/nepenthes/bin/nepenthes -u nepenthes -g nepenthes -w /opt/nepenthes Now, watch the logs. Try a portscan from a host on a different network just to see if the ports are open and listening. Periodically, you should check `/opt/nepenthes/var/binaries/` for malware binaries. Also, consider applying to join the mwcollect Alliance and submit your samples there. If accepted, there is a module for nepenthes to automatically submit binaries. The Alliance will provide configuration instructions. << Submit a Botnet \| Get Involved \| Hall of Fame >> Edit Page History Source Attach File Backlinks List Group Page last modified on December 31, 2005, at 04:32 AM	Bot Counts Botnets Calendar/Blog June 2012 July 2012 August 2012 September 2012 October 2012 November 2012 December 2012 January 2013 February 2013 March 2013 April 2013 May 2013 June 2013 July 2013 August 2013 Link List Arbor Networks ASERT AV Comparatives Emerging Threats Facebook Bug Bounty Mwcollect Nepenthes Offensive Computing SANS ISC Securtyfix SecuriTeam Sunbelt/CWSandbox Support Intelligence TaoSecurity ThreatSTOP Websense Zeus Tracker