DIONAEA:submission module

Mark Schloesser spoke about Dionea during his presentation at the  FIRST-TC KL 2009, last December and that got us really excited. A few MyCERT folks  had a chance to do a ‘class’ with him as well and got some exposure with the its internal.

We are replacing some of the nepenthes instances with  Dionaea . However, the lack of centralized logging and submission features on Dionaea, required us to code our own submission module. At first, it was a little bit confusing (due to my lack of understanding on Dionaea inner working code) on the process to build the module. After a few IRC sessions (Dionaea’s IRC is @freenode on #nepenthes) with Markus ( Dionaea Developer) , we managed to get the module working (we dump binaries and connection log too). Below is some output from submission log:

Below is the module for the submission (bare in mind, that this my 1st time coding in Python). Please refer to few modules such as surfids.py,logsql.py, test.py to have more examples on using the modules.

The Dionaea’s config file need to be changed to reflect the module. Here is the sample for the Dionaea’s config (only portion of submission’s part):

As for upload.php, you can use similar code here (warning: this is just a sample code, modify accordingly to fit your security requirements):

Recently Markus mentioned about xmpp support on Dionaea. This is very exciting news as well. Now you’ve got a very flexible distributed environment for Dionaea.

For now, we’re happy with this implementation and will wait for xmpp support on Dionaea as well. 🙂

–  mahmud

Leave a Reply

Your email address will not be published. Required fields are marked *