Dionaea missing MQTT, UPNP attacks information

[AizazZaidee]

Hi,
I have find out that Dionaea is not capturing any information about MQTT, UPnP. I went into tpotce/docker/dionaea/dist/etc/services/ but unable to find UPnP.yaml. Is it possible that I can create a yaml like following

Samsung TV

  cache:     "CACHE-CONTROL: max-age=900\r\n"
  st:        "ST: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n"
  usn:       "USN: uuid:c1fd12b2-d954-4dba-9e92-a697e1558fb4\r\n"
  server:    "SERVER: SHP, UPnP/1.0, Samsung UPnP SDK/1.0\r\n"
  location:  "LOCATION: http://{My IP}:7677/MainTVServer2\r\n"
  opt:       "OPT: http://schemas.upnp.org/upnp/1/0/\r\n"

Reference https://dionaea.readthedocs.io/en/latest/service/upnp.html?highlight=upnp

How can I also capture UPnP and MQTT attacks using Dionaea?

Output of dps.sh

========| System |========
    Date:  Wed Feb 13 21:06:51 UTC 2019
  Uptime:  21:06:51 up 17:39,  1 user,  load average: 1.02, 0.72, 0.61
No sensors found!
Make sure you loaded all the kernel drivers you need.
Try sensors-detect to find out which these are.
CPU temp:

NAME                  STATUS                       PORTS
adbhoney              Up 17 hours             0.0.0.0:5555->5555/tcp
ciscoasa              Up 17 hours
conpot_guardian_ast   Up 17 hours             0.0.0.0:10001->10001/tcp
conpot_iec104         Up 17 hours             0.0.0.0:161->161/tcp, 0.0.0.0:2404->2404/tcp
conpot_ipmi           Up 17 hours             0.0.0.0:623->623/tcp
conpot_kamstrup_382   Up 17 hours             0.0.0.0:1025->1025/tcp, 0.0.0.0:50100->50100/tcp
cowrie                Up 17 hours             0.0.0.0:22-23->22-23/tcp
cyberchef             Up 17 hours (healthy)   127.0.0.1:64299->8000/tcp
dionaea               Up 17 hours
elasticpot            Up 17 hours             0.0.0.0:9200->9200/tcp
elasticsearch         Up 17 hours (healthy)   127.0.0.1:64298->9200/tcp
ewsposter             Up 17 hours
glutton               Up 17 hours
head                  Up 16 hours (healthy)   127.0.0.1:64302->9100/tcp
heralding             Up 17 hours             0.0.0.0:110->110/tcp, 0.0.0.0:143->143/tcp, 0.0.0.0:993->993/tcp, 0.0.0.0:995->995/tcp, 0.0.0.0:5432->5432/tcp, 0.0.0.0:5900->5900/tcp
kibana                Up 16 hours (healthy)   127.0.0.1:64296->5601/tcp
logstash              Up 16 hours (healthy)
mailoney              Up 17 hours             0.0.0.0:25->25/tcp
medpot                Up 17 hours             0.0.0.0:2575->2575/tcp
nginx                 Up 17 hours
p0f                   Up 17 hours
rdpy                  Up 17 hours             0.0.0.0:3389->3389/tcp
snare                 Up 17 hours             0.0.0.0:80->80/tcp
spiderfoot            Up 17 hours (healthy)   127.0.0.1:64303->8080/tcp
suricata              Up 17 hours
tanner                Up 17 hours
tanner_api            Up 17 hours
tanner_phpox          Up 17 hours
tanner_redis          Up 17 hours             6379/tcp
tanner_web            Up 17 hours

Thanks.

[t3chn0m4g3]

With T-Pot's design we somewhere on the way opted against UDP services, such as UPnP on upd/1900. The number of false positives were just too high.

MQTT on the other hand is pretty much active:
https://github.com/dtag-dev-sec/tpotce/blob/master/docker/dionaea/dist/etc/services/mqtt.yaml
https://github.com/dtag-dev-sec/tpotce/blob/c67e4593d7fad9de544f771bd621d43ff9f91004/docker/dionaea/docker-compose.yml#L24

You can always adjust T-Pot's config, in using docker volume statements in tpot.yml and map your preferred config files into the container upon its creation.

Please use the search function in the issues (docker volume), also find another example in the Wiki.