Amun

From aldeid
Jump to navigation Jump to search

Description

Amun is a low interaction honeypot.

Installation

Prerequisites

$ sudo apt-get install python-psyco python-mysqldb python-psycopg2

If you also wish to use mysql to log the events, install mysql-server: 

$ sudo apt-get install mysql-server

Installation of Amun

$ cd ~/src/
$ wget http://downloads.sourceforge.net/project/amunhoney/amun/amun-v0.1.9/amun-v0.1.9.tar.gz
$ tar xzvf amun-v0.1.9.tar.gz
$ cd amun/

Configuration

amun.conf

Change the "ip" parameter to match with the IP address of your honeypot. 

ip: 88.191.146.23

Also from the "submit_modules" section, uncomment the submission modules you would like to use: 

### define submission modules
submit_modules:
       submit-md5,
       submit-anubis,
       submit-cwsandbox
#       submit-joebox

log-mail.conf

If you want to be notified by email when a new malware is detected, configure log-mail.conf configuration file as follows: 

[Log-Mail]

### define smtp server for outgoing mail
smtpServer: smtp.gmail.com
smtpPort: 25

### define sender and recipient addresses (unused fields set to None)
mailFrom: [email protected]
mailReplyTo: [email protected]
recipientList: [email protected],[email protected]
mailCCList: None

### define default mail text
mailBody: Hello,\nyour Amun sensor reported a successfull attack.\nLogline is attached.

log-mysql.conf

If you wish to log the events in a MySQL database, first create your database as follows: 

$ cd /opt/amun/conf/
$ mysql -u root -p < amun_db.sql

Check that the database has successfully been created: 

$ mysql -u root -p
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| amun_db            |
| mysql              |
+--------------------+

And set appropriate privileges: 

mysql> create user amun@localhost identified by '4mUnP455w0rd';
mysql> grant all privileges on amun_db.* to amun@localhost;
mysql> \q

Once the database created and the privileges set up, adapt the "log-mysql.conf" configuration file as follows: 

[Log-MySQL]
MySQLHost: 127.0.0.1
MySQLUser: amun
MySQLPass: 4mUnP455w0rd
MySQLDB: amun_db

log-surfnet.conf

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

submit-anubis.conf

Amun has the ability to automatically submit malware to Anubis. If you wish, you can also be automatically notified by email: 

reportToEmail: [email protected]

It seems that the "reportToEmail" parameter doesn't support the multiple mail syntax.

submit-cwsandbox.conf

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

submit-joebox.conf

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Usage

Start Amun

To start Amun, just issue following command: 

$ cd /opt/amun/
$ sudo ./amun_server.py &

Collect malware

Once Amun has collected malware, they should appear in the malware/md5sum/ directory: 

$ ls -l /opt/amun/malware/md5sum/
total 2992
-rw-r--r-- 1 root root  195584 Mar 23 01:14 17270aa15f0b8465ef7b815e58d4c86b.bin
-rw-r--r-- 1 root root   32768 Mar 23 01:38 2c1c0ea0b4a31962bd4d9402e7c62575.bin
-rw-r--r-- 1 root root 1264640 Mar 23 00:55 5d5138f09a10148f4a85547aa24f7877.bin
-rw-r--r-- 1 root root   64512 Mar 23 14:30 5e60a735afb32c3b19b186170964ffb9.bin
-rw-r--r-- 1 root root  926720 Mar 23 17:27 80931f1c5fd7c8f30c6ba2b7046c9c89.bin
-rw-r--r-- 1 root root  454144 Mar 23 08:27 c5306102e449f83fcdc12a025eb59333.bin
-rw-r--r-- 1 root root   43008 Mar 23 01:56 eb17f7f499e1cb042219bef3fb0c8b25.bin
-rw-r--r-- 1 root root   71747 Mar 22 22:11 fcded26076f73cedfe1cbc6442f11f2d.bin
Retrieved from "https://www.aldeid.com/w/index.php?title=Amun&oldid=34870"