Dionaea binary in Kibana #1199

V0lundr · 2022-10-25T09:56:25Z

V0lundr
Oct 25, 2022

Hi, When a certain binary gets dropped under /data/dionaea/binaries, is there a way to trace it in the Kibana logs to understand it's origin and the context around it, like with Cowrie binary/hash/logs for example?

Answered by t3chn0m4g3

May 16, 2023

This is not a T-Pot issue and usually this does the trick ...

On T-Pot add the user you want to scp with to the tpot-group: sudo usermod -aG tpot <scp user>.

If this does not work, it is a typical Linux permission issue, nothing we can fix.

View full answer

t3chn0m4g3 · 2022-11-01T14:26:11Z

t3chn0m4g3
Nov 1, 2022
Maintainer

No, there is no info available in Kibana since Dionaea does not log this information.

0 replies

vertebarbe · 2022-11-04T15:05:18Z

vertebarbe
Nov 4, 2022

Hello, I had the same problem, so I forked dionaea's 0.11.0 version here: https://github.com/vertebarbe/dionaea
I added logging of md5 and sha256 hashes when a file is uploaded.

@V0lundr, if you want to add it to T-Pot you can:

checkout the relevant commit here: vertebarbe/dionaea@dae4676
copy the files log_json.py and store.py on your T-Pot instance
Add the following lines to your /opt/tpot/etc/tpot.yml in the "volumes" section of the dionaea service
- /path/to/store.py:/opt/dionaea/lib/dionaea/python/dionaea/store.py
- /path/to/log_json.py:/opt/dionaea/lib/dionaea/python/dionaea/log_json.py

If you are interested, I also added some support for basic smb and ftp uploads in the next commits.

27 replies

Rocco-Hash1 May 15, 2023

@vertebarbe thanks for showing me that so cool, but i cant get the binaries out

Rocco-Hash1 May 16, 2023

@vertebarbe you got any ideas, is this a known issue with tpot? should i file an issue?

vertebarbe May 16, 2023

I don't have any idea of why this would be happening, sorry, you can try creating an issue about this.

t3chn0m4g3 May 16, 2023
Maintainer

This is not a T-Pot issue and usually this does the trick ...

On T-Pot add the user you want to scp with to the tpot-group: sudo usermod -aG tpot <scp user>.

If this does not work, it is a typical Linux permission issue, nothing we can fix.

Answer selected by t3chn0m4g3

Rocco-Hash1 May 16, 2023

all good @vertebarbe thank you so much if it wasnt for you I wouldnt have gotten this far, thank you!! I'm going to take tpot offline until i can get an answer going to file an issue thanks again

Rocco-Hash1 May 16, 2023

This is not a T-Pot issue and usually this does the trick ...

On T-Pot add the user you want to scp with to the tpot-group: sudo usermod -aG tpot <scp user>.

If this does not work, it is a typical Linux permission issue, nothing we can fix.

so what would you suggest the screenshots show its not working what would you suggest

Rocco-Hash1 May 16, 2023

@t3chn0m4g3 you was right i go it was a permission issue thank you and @vertebarbe for your help

Rocco-Hash1 · 2023-05-12T20:05:43Z

Rocco-Hash1
May 12, 2023

thanks @vertebarbe they took out the tpot again so i got to spin up another once it is all done I will reply back i hope it works thank you so much for your assistance so far

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dionaea binary in Kibana #1199

{{title}}

Replies: 3 comments 27 replies

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Dionaea binary in Kibana #1199

Replies: 3 comments · 27 replies

t3chn0m4g3 Nov 1, 2022 Maintainer

t3chn0m4g3 May 16, 2023 Maintainer

Replies: 3 comments 27 replies

t3chn0m4g3
Nov 1, 2022
Maintainer

t3chn0m4g3 May 16, 2023
Maintainer