-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathIDEAS
More file actions
163 lines (118 loc) · 4.13 KB
/
IDEAS
File metadata and controls
163 lines (118 loc) · 4.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
# Ideas for Future Work
Ideas collected from nepenthes-devel mailing list archives and code review.
## Anti-Fingerprinting (HIGH PRIORITY)
Attackers can detect dionaea is a honeypot. Fixing these would increase capture rates.
### Nmap Detection
- NSE scripts can identify dionaea via banner fingerprinting
- Need to investigate which scripts detect it and how
### Configurable Service Banners
- FTP welcome message
- HTTP server header
- SMB version strings (see below)
- Make banners configurable per deployment
### SMB Version Strings
The SMB version strings have defaults that are very old:
- native_os = "Windows 5.1" (Windows XP)
- native_lan_manager = "Windows 2000 LAN Manager"
- server_name = "HOMEUSER-3AF6FE"
Options to consider:
1. Update defaults to something more modern (e.g., Windows 10)
2. Randomize them per connection
3. Make them easier to configure per deployment
### Certificate Randomization
- Randomize certificate fields (country code, organization, OU)
- Currently uses static defaults that could fingerprint the honeypot
## Protocol Additions
### Telnet Emulation
- IoT botnets (Mirai variants) target telnet
- Would capture significant additional malware
### DNS Honeypot/Logging
- Log DNS queries for C2 detection
- Interactive DNS proxy capability requested
### IRC Logging
- Requested but never implemented
- Would help track botnet C2 channels
## Operational Improvements
### IP Whitelist/Filter
- Exclude management IPs from logs
- Multiple requests for this feature
- Reduce noise from internal scanning
### Conficker/Noisy Attack Filtering
- Option to exclude known noisy attack types from reports
- Reduce log volume from legacy worms
### Dynamic IP Adoption
- Handle PPPoE/DHCP reconnects without restart
- Use INADDR_ANY or netlink for dynamic interface detection
### Database Size Management
- SQLite files grow to 10GB+
- Need rotation/archival strategy
- Log rotation via SIGHUP
### Periodic Email Reports
- Daily/weekly summary emails
- Multiple requests for this feature
### Listen on Custom Ports
- HTTP on 8080, etc.
- Expand capture surface
### Configurable wwwroot
- Serve fake content to reduce 404s
- Make honeypot appear more realistic
## Logging Improvements
### Better Logging Format
- "Too debug-like" - need more operational focus
- Reduce noise, increase signal
### Failed Attack Detection
- Log when exploitation attempts fail
- Identify unsuccessful attacks
### Geolocation Integration
- Map attack sources geographically
- Multiple requests for this feature
### Monthly Statistics Queries
- Time-based reporting helpers
- SQL query examples for common reports
## Submission/Integration
### HTTP Submit Handler
- Alternative to XMPP for sample submission
- Simpler deployment
### SCP Binary Transfer
- Transfer samples to analysis server via SCP
### Sandbox API Integration
- Malwr.com / Cuckoo API submission
- Auto-submit samples for analysis
### SIEM Integration
- ArcSight, Splunk, etc.
- Standard log format export
### Syslog Forwarding
- Send events to syslog server
- Requested for central logging
## Data Processing
### Bistream to PCAP Conversion
- Convert bistream files to Wireshark-compatible format
- Analysis tool request
### Log Parsing Tools
- grep-style log filtering
- Statistics generation utilities
## Architecture
### Centralized Multi-Sensor Repository
- Collect samples from distributed sensors
- Central analysis and deduplication
### PostgreSQL/MySQL Support
- Alternative to SQLite for large deployments
- Better concurrent access
## Known Bugs (from mailing list, may still exist)
### HTTP Directory Listing Bug
- Shows directory listing even when index.html exists
- Patch was submitted but may not be merged
### 92-byte Truncated Binary Captures
- Some downloads truncated to 92 bytes
- Reported multiple times
## Exploit Detection Gaps
### SMBGhost (CVE-2020-0796)
- SMB 3.1.1 compression vulnerability
- Requires SMB2/SMB3 support
### SMBleed (CVE-2020-1206)
- Related to SMBGhost
- Requires SMB2/SMB3 support
### PrintNightmare (CVE-2021-34527)
- Print Spooler vulnerability
- Could potentially add to existing SPOOLSS handler
Note: SMB2/SMB3 exploits require protocol support dionaea doesn't have.