[[honey:mwcollect]]
目次
mwcollect - Malware収集ツール
更新履歴
- 2006/02/13 初版
- Author kikuzou
概要
- Honeynet プロジェクトの一部として作成されているFreeBSD/Linux用のエミュレーション型ハニーポットサーバ。
- 既知の脆弱性をつくワームを捕獲する。(port135,445に接続してくるワームのみ)
- ログをIRCサーバに送信することも可能。
バージョン
- 3.0.3
インストール環境
- CentOS 4.2
前提条件
- 以下ライブラリが必要
- libcurl
- libpcre
- libcap
参考URL
インストール手順
mwcollect インストール
- インストール・動作に必要となるライブラリ・ヘッダーファイル・プログラムを事前にインストールする。
- すべて yum 等でインストールしておくこと。
# rpm -qa |grep curl curl-7.12.1-5.rhel4 curl-devel-7.12.1-5.rhel4 # # rpm -qa |grep pcre pcre-devel-4.5-3.2.RHEL4 pcre-4.5-3.2.RHEL4 # # rpm -qa |grep pcap libpcap-0.8.3-10.RHEL4 # # rpm -qa |grep tftp tftp-0.39-1 # # cd /usr/local/src/ # wget http://download.mwcollect.org/mwcollect-3.0.3.tar.bz2 # tar xvjf mwcollect-3.0.3.tar.bz2 # cd mwcollect-3.0.3 # cp /usr/include/pcre/pcre.h src/include/ ※make時に pcre.h が見つからないとのエラーが出るため # make # cp -r /usr/local/src/mwcollect-3.0.3 /usr/local/mwcollect # # groupadd mwcollectd # useradd -g mwcollectd -d /dev/null -s /sbin/nologin mwcollectd # chown -R mwcollectd:mwcollectd /usr/local/mwcollect/ # # /usr/local/mwcollect/bin/mwcollectd --version mwcollect v3.0.3-threestone $Id: mwcollect.cpp 287 2006-01-19 13:24:50Z oxff $ Flavour: OBSD_FLAVOURED (c) 2005-2006 by Honeynet Project, developed by Georg Wicherski Dedicated to Dorothea Reiffer, Palmstroem and all Hardcore ravers in the world! #
mwcollect 設定
- 動作に必要な設定を行う。基本的にはデフォルトでOK。
- デフォルトでは、IRCサーバ(irc.freenode.org #mwcollect-demo) にログを送信するようになっているので修正する。(任意)
# vi /usr/local/mwcollect/conf/mwcollect.conf 内容は下記参照 (9行目をコメントアウト) # # vi /usr/local/mwcollect/conf/submit-localfile.conf 内容は下記参照 (14行目の group を修正) #
mwcollect.conf
# mwcollectd dist config, see man (5) mwcollect.conf and comments for help
# $Id: mwcollect.conf 292 2006-02-02 19:08:30Z oxff $
# the pretty basics required to run a senseful standard sensor
%loadModule("log-file.so", "log-file.conf");
%loadModule("net-posix.so", "empty.conf");
# additional loggers
#%loadModule("log-irc.so", "log-irc.conf");
#%loadModule("log-prelude.so", "log-prelude.conf");
#%loadModule("log-syslog.so", "log-syslog.conf");
# vulnerability modules
%loadModule("vuln-ms04-11.so", "vuln-ms04-11.conf");
%loadModule("vuln-ms05-39.so", "vuln-ms05-39.conf");
%loadModule("vuln-ms03-26.so", "vuln-ms03-26.conf");
%loadModule("vuln-ms05-51.so", "vuln-ms05-51.conf");
# shell emulation modules
%loadModule("shell-transfer.so", "empty.conf");
%loadModule("shell-basic.so", "empty.conf");
# download handlers
%loadModule("download-tftp.so", "empty.conf");
%loadModule("download-curl.so", "download-curl.conf");
# submitters
%loadModule("submit-localfile.so", "submit-localfile.conf");
# %loadModule("submit-gotek.so", "submit-gotek.conf");
# pure shellcode parsers
%loadModule("scparse-misc.so", "empty.conf");
# daemon configuration
{
shellcode-directory = "./data/shellcodes/"; # write unknown shellcodes here
# set to `(none)' to disable (this is also the default)
store-shellcodes = "0"; # store ALL shellcodes, including succesfully parsed ones
# set to `1' to activate, defaults to 0 which only saves
# unparsable ones
bind-address = "0.0.0.0"; # connections to another addresses are ignored
# defaults to 0.0.0.0 which means accept all sources
connection-timeout = "300"; # specifies after which time all connections time out (in seconds)
# defaults to 0 which means no timeout
# don't set this to a low value, it's just the last chance
download-blocking = "600"; # an URL will not be tried to fetch twice within this timespan
# defaults to 600 seconds
download-alerts = "1"; # downloads will emit classful alert message if set to 1,
# this defaults to 1
}
submit-localfile.conf
#mwcollect3 submit-localfile example config
{
# uncomment the following line to enable chown functionality
# chown
{
# if mwcollect is not configured to drop privilegues at startup
# it might be a good idea to chown & chmod collected binaries
# after storing them in the local filesystem
#
# comment out the block to deactivate chown
user = "mwcollectd"; # defaults to mwcollectd
group = "mwcollectd"; # defaults to nogroup
}
chmod = "0640"; # defaults to 0600
directory = "./data/binaries/"; # where to store collected malware
# defaults to `./data/binaries/'
md5sum = "1"; # perform md5 hashing on file's content and use as filename
# otherwise a random 16 character string prefixed with `r' to
# distinguish from md5sum's is used as filename
# defaults to 1
# there is no more requirement for symlink attack filename extension with random strings
# since the module tests for existance of a symlink before actually opening the file
}
mwcollect 実行
- mwcollect を実行する。オプションで全ログをコンソールに表示するようにする。
- mwcollect停止時に “/usr/local/mwcollect/mwcollectd.log” に記録される。
- デーモンモード(-D)では、なぜかログが出力されない。(私の環境だけかも!?)
# cd /usr/local/mwcollect/ # ./bin/mwcollectd --console-log=all --conf=conf/mwcollect.conf [2005-12-05 11:00:03] mwcollect v3.0.1 up and running.
