New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WannaCry detection #103

Closed
Mato-Z opened this Issue May 31, 2017 · 7 comments

Comments

Projects
None yet
6 participants
@Mato-Z

Mato-Z commented May 31, 2017

ISSUE TYPE
  • Feature Idea
DIONAEA VERSION
latest
OS / ENVIRONMENT
  • Debian 8.0
SUMMARY

Hello, do you think about modification for WannaCry and SambaCry CVE 2017-7494 detection? It is described here https://www.honeynet.org/node/1353 and changes are in this repository https://github.com/gento/dionaea/commits/master - last three commits.

Thank you.

@phibos phibos added this to the 0.7.0 milestone May 31, 2017

@phibos phibos self-assigned this May 31, 2017

@phibos

This comment has been minimized.

Show comment
Hide comment
@phibos

phibos May 31, 2017

Member

I had the same idea a few hours ago and I have already started to merge the commits. Feel free to have a look at #104. It still needs some testing and I think dionaea is unable store the payload at the moment, but I think I will fix this soon

Member

phibos commented May 31, 2017

I had the same idea a few hours ago and I have already started to merge the commits. Feel free to have a look at #104. It still needs some testing and I think dionaea is unable store the payload at the moment, but I think I will fix this soon

@gento

This comment has been minimized.

Show comment
Hide comment
@gento

gento May 31, 2017

Contributor

Hey @phibos , thanks for the merges about the SMB patches!

By the way, we can test the SMB patches with:

Dionaea should be able to store the payloads from these 2 modules. Again, thanks for the good works!

Contributor

gento commented May 31, 2017

Hey @phibos , thanks for the merges about the SMB patches!

By the way, we can test the SMB patches with:

Dionaea should be able to store the payloads from these 2 modules. Again, thanks for the good works!

@phage-nz

This comment has been minimized.

Show comment
Hide comment
@phage-nz

phage-nz Jun 1, 2017

@phibos, I observed files failing to save due to a missing key - 'downloads' - on line 665 of smb.py:

dir = g_dionaea.config()['downloads']['dir'] + "/"

If replaced with the following:

dionaea_config = g_dionaea.config().get("dionaea")
download_dir = dionaea_config.get("download.dir")

Along with replacing occurrences of 'dir' with 'download_dir', files are saved into the standard 'binaries' directory (or whatever the user has configured in their dionaea.conf).

My first hit was: https://www.virustotal.com/en/file/c05e2dab77349cd639aa837e7e121710b8a0718d8fc93fb4cc6458ae90e5c597/analysis/

Am still seeing a lot of occurrences of: 'SMB dionaea/smb/smb.py:112-critical: === SMB did not get enough data' in my log however... but that could well be standard background noise.

phage-nz commented Jun 1, 2017

@phibos, I observed files failing to save due to a missing key - 'downloads' - on line 665 of smb.py:

dir = g_dionaea.config()['downloads']['dir'] + "/"

If replaced with the following:

dionaea_config = g_dionaea.config().get("dionaea")
download_dir = dionaea_config.get("download.dir")

Along with replacing occurrences of 'dir' with 'download_dir', files are saved into the standard 'binaries' directory (or whatever the user has configured in their dionaea.conf).

My first hit was: https://www.virustotal.com/en/file/c05e2dab77349cd639aa837e7e121710b8a0718d8fc93fb4cc6458ae90e5c597/analysis/

Am still seeing a lot of occurrences of: 'SMB dionaea/smb/smb.py:112-critical: === SMB did not get enough data' in my log however... but that could well be standard background noise.

@fe7ch

This comment has been minimized.

Show comment
Hide comment
@fe7ch

fe7ch Jun 1, 2017

@phage-nz Thanks for your tip. That exaplains why my dionaea instance didn't save payloads yesterday. Finally, it saved a payload after applying your suggested changes.

fe7ch commented Jun 1, 2017

@phage-nz Thanks for your tip. That exaplains why my dionaea instance didn't save payloads yesterday. Finally, it saved a payload after applying your suggested changes.

@Tigzy

This comment has been minimized.

Show comment
Hide comment
@Tigzy

Tigzy Jun 1, 2017

Hey, after applying the change above I have a payload however the store.py module always say the file already exists. Are we bypassing store.py with that change?

Tigzy commented Jun 1, 2017

Hey, after applying the change above I have a payload however the store.py module always say the file already exists. Are we bypassing store.py with that change?

@Tigzy

This comment has been minimized.

Show comment
Hide comment
@Tigzy

Tigzy Jun 1, 2017

I've fixed the thing by adding '.tmp' to the file path downloaded into binaries.
So then when the store.py gets called it will just create a hardlink to it.

Tigzy commented Jun 1, 2017

I've fixed the thing by adding '.tmp' to the file path downloaded into binaries.
So then when the store.py gets called it will just create a hardlink to it.

@phibos

This comment has been minimized.

Show comment
Hide comment
@phibos

phibos Jun 4, 2017

Member

I have merged the support for WannaCry and SambaCry into the master branch. Thanks for all your work and comments.

Member

phibos commented Jun 4, 2017

I have merged the support for WannaCry and SambaCry into the master branch. Thanks for all your work and comments.

@phibos phibos closed this Jun 4, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment