Deploying Dionaea Honeypots & Collecting Logs to Elastic Cloud

Since finishing my university degree (where my final assignment was based around collecting threat intelligence from honeypots) I have been further exploring their deployment and refinement to collect attack data from across the globe.

One of my most favourite honeypots is Dionaea which I am presently deploying on a short-term basis to collect basic attack data, and play around with different configurations as I work in more analysis capabilities.

Deploying honeypots at scale however, is quite difficult, and you need to get the logs out of those honeypots into something which is pretty easy to do correlation for. So for this brief write up, I am going to mash together my two favourite things right now – Dionaea & Elastic Cloud!

First up, you will need a hosting provider somewhere to park your honeypot (please make sure you read the TOS for your providers before doing this), and you will need to install Dionaea.

In my case I have chosen to use Ubuntu 18.04, and I am using DigitalOcean as a quick and easy option to deploy my honeypots.

apt update -y && apt upgrade -y

# Generate new Hostname
old=$(cat /etc/hostname)
new=$(tr -dc 'A-Z0-9' < /dev/urandom | head -c12)
sed -i "s/$old/$new/g" /etc/hosts
sed -i "s/$old/$new/g" /etc/hostname
hostname "SVR-$new"
hostnamectl set-hostname "SVR-$new"

apt --yes install \
     git \
     supervisor \
     build-essential \
     cmake \
     check \
     cython3 \
     libcurl4-openssl-dev \
     libemu-dev \
     libev-dev \
     libglib2.0-dev \
     libloudmouth1-dev \
     libnetfilter-queue-dev \
     libnl-3-dev \
     libpcap-dev \
     libssl-dev \
     libtool \
     libudns-dev \
     python3 \
     python3-dev \
     python3-bson \
     python3-yaml \

git clone 
cd dionaea
git checkout baf25d6

mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea ..

make install

mkdir -p /opt/dionaea/var/log/dionaea/wwwroot /opt/dionaea/var/log/dionaea/binaries /opt/dionaea/var/log/dionaea/log
chown -R nobody:nogroup /opt/dionaea/var/log/dionaea

mkdir -p /opt/dionaea/var/log/dionaea/bistreams 
chown nobody:nogroup /opt/dionaea/var/log/dionaea/bistreams

sed -i 's/default.levels=all/default.levels=all,-debug/g' /opt/dionaea/etc/dionaea/dionaea.cfg

cat > /etc/cron.hourly/ <<EOF
find /opt/dionaea/var/lib/dionaea/bistreams/* -type f -mmin +60 -exec gzip {} \;
find /opt/dionaea/var/lib/dionaea/bistreams/* -type f -mmin +180 -exec rm -rf {} \;
find /opt/dionaea/var/lib/dionaea/bistreams/* -type d -empty -delete
find /opt/dionaea/var/lib/dionaea/binaries/* -type f -mmin +60 -exec gzip {} \;
find /opt/dionaea/var/lib/dionaea/binaries/* -type f -mmin +180 -exec rm -rf {} \;
find /opt/dionaea/var/lib/dionaea/binaries/* -type d -empty -delete
chmod +x /etc/cron.hourly/

cat > /etc/logrotate.d/dionaea <<EOF
/opt/dionaea/var/log/dionaea/dionaea*.log {
rotate 2
create 660 root root
service dionaea restart

cat > /etc/supervisor/conf.d/dionaea.conf <<EOF
command=/opt/dionaea/bin/dionaea -c /opt/dionaea/etc/dionaea/dionaea.cfg

supervisorctl update

Now by this stage, you are wondering (if you have installed Dionaea before) this is not very original, and in fact it looks just like the Modern Honeypot Network install script with a few tweaks. You are correct!

Now comes the Elastic-Agent…

curl -L -O
sudo dpkg -i elastic-agent-7.9.3-amd64.deb

Looks good so far. Now we need to spin up an Elastic cluster – fret not, can help with this through their Elastic Cloud offering.

Create yourself a bare minimum deployment for Elastic (this will give you 30GB of storage with a 1GB RAM installation), and then jump into your Kibana console.

Head to Ingest Manager, and then Fleet (you will need to click through the initial account creation), and then Add Agent. Scroll down to the Enrol and start the Elastic Agent and you should see some code similar to below:

elastic-agent enroll aUxOX2FxxxxxxxxxxxxxxxxxxxxxxxxxxxmZSbUstQXBEOVlWdGZMdw== 
systemctl enable elastic-agent 
systemctl start elastic-agent

Now obviously I have stripped out my sensitive information here, but you should get an enrolment event on your honeypot now, and you should start to see metric information transmitted from the honeypot to your Elastic instance.

Enrolled agent on the honeypot transmitting health data.

Now go back into the Elastic Ingest Manager, and then Configurations. Edit the Default Config associated with your newly enrolled honeypot, and then click Add Integration.

We are going to add the Dionaea log files to the Ingest Manager now, so new hosts being registered for that same configuration will transmit log data from the same locations.

Select Custom Logs from the scroll menu, and then scroll down to Option 2 where it asks about Log file path.

In here you want to specify the Dionaea log file locations:


Then expand the Advanced options, and change the dataset name to Dionaea.

Then save the integration. You will get a prompt asking if you want to change this configuration, and it will warn you that enrolled agents will be updated. Continue through this.

From here to visualise this information you will need to build dashboards, but the honeypots will start polling data from their log files back into your Elastic installation.

Searching for Double Pulsar in forwarded Dionaea logs

And as you can see from the above, Dionaea has detected 46,000 attempts to utilise the Double Pulsar exploit on my newly deployed honeypot – in the first 15 minutes of it being deployed!

So from this we get a key takeaway – if you are going to expose anything to the internet, even for a few minutes, please make sure it is patched and up-to-date!

Total outlay here for this deployment:
Elastic Cloud – ~$14 USD / month
DigitalOcean Droplet – $5 USD / month


Categories: Threat Intelligence

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: