Configuration¶
If you want to change the software, it is really important to understand how it works, therefore please take the time to how it works.
dionaea.cfg
is the main configuration file.
In the example below you can see the default configuration.
[dionaea]
download.dir=@LOCALESTATEDIR@/dionaea/binaries/
modules=curl,python,nfq,emu,pcap
processors=filter_streamdumper,filter_emu
listen.mode=getifaddrs
# listen.addresses=127.0.0.1
# listen.interfaces=eth0,tap0
# Country
# ssl.default.c=GB
# Common Name/domain name
# ssl.default.cn=
# Organization
# ssl.default.o=
# Organizational Unit
# ssl.default.ou=
[logging]
default.filename=@LOCALESTATEDIR@/dionaea/dionaea.log
default.levels=all
default.domains=*
errors.filename=@LOCALESTATEDIR@/dionaea/dionaea-errors.log
errors.levels=warning,error
errors.domains=*
[processor.filter_emu]
name=filter
config.allow.0.protocols=smbd,epmapper,nfqmirrord,mssqld
next=emu
[processor.filter_streamdumper]
name=filter
config.allow.0.types=accept
config.allow.1.types=connect
config.allow.1.protocols=ftpctrl
config.deny.0.protocols=ftpdata,ftpdatacon,xmppclient
next=streamdumper
[processor.streamdumper]
name=streamdumper
config.path=@LOCALESTATEDIR@/dionaea/bistreams/%Y-%m-%d/
[processor.emu]
name=emu
config.limits.files=3
#512 * 1024
config.limits.filesize=524288
config.limits.sockets=3
config.limits.sustain=120
config.limits.idle=30
config.limits.listen=30
config.limits.cpu=120
#// 1024 * 1024 * 1024
config.limits.steps=1073741824
[module.nfq]
queue=2
[module.nl]
# set to yes in case you are interested in the mac address of the remote (only works for lan)
lookup_ethernet_addr=no
[module.python]
imports=dionaea.log,dionaea.services,dionaea.ihandlers
sys_paths=default
service_configs=@SYSCONFDIR@/dionaea/services-enabled/*.yaml
ihandler_configs=@SYSCONFDIR@/dionaea/ihandlers-enabled/*.yaml
[module.pcap]
any.interface=any
dionaea¶
download.dir
Global download directory used by some ihandlers.
listen.mode:
There are basically three modes how dionaea can bind the services to IP addresses.
- getifaddrs - auto
This will get a list of all IP addresses of all available interfaces and bind the services to each IP. It is also possible to specify a list of interfaces to use by using the
listen.interfaces
perameter.
- manual - your decision
In this mode you have to specify an additional parameter
listen.addresses
. This is a comma separated list of IP addresses dionaea should bind the services to.
- nl, will require a list of interfaces
You have to specify a comma separated list of interfaces names with the
listen.interfaces
parameter. If an IP address is added to an interfaces or removed from an interface dionaea will lunch or stop all services for this IP.
modules
Comma separated list of modules.
processors
Comma separated list of processors.
ssl.default.c
Two letter id of the Country.
ssl.default.cn
The Common Name/domain name of the generated SSL/TLS certificate.
ssl.default.o
The Organization name.
ssl.default.ou
The name of the Organizational Unit.
Logging¶
dionaea has a general application log. This logs are ment to be used for debugging and to track errors. It is not recommended to analyse this files to track attacks.
filename
The filename of the logfile.
levels
Only log messages that match the specified log level get logged to the logfile.
domain
Only log messages in a specified domain.
Modules¶
Only modules specified by the modules
value in the dionaea
section are loaded during the start up.
Every module might have its own config section with additional config parameters.
The section name consists of the prefix module
and the module name speratated by a dot(.
).
See the Modules documentation to find more information on how to configure the modules.
Processors¶
The specified processors will be used as an entry point in the processing pipeline.
In most cases the initial processor will be a filter processor <processor/filter>
.
The next processor in the pipeline is specified by the next
parameter.
See the Processors documentation to find more information on how to configure the processors.