Configuration

If you want to change the software, it is really important to understand how it works, therefore please take the time to how it works. dionaea.cfg is the main configuration file. In the example below you can see the default configuration.

dionaea.cfg
# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

[dionaea]
download.dir=@DIONAEA_STATEDIR@/binaries/
#modules=curl,python,nfq,emu,pcap
modules=curl,python,emu
processors=filter_streamdumper,filter_emu

listen.mode=getifaddrs
# listen.addresses=127.0.0.1
# listen.interfaces=eth0,tap0

# Use IPv4 mapped IPv6 addresses
# It is not recommended to use this feature, try to use nativ IPv4 and IPv6 adresses
# Valid values: true|false
# listen.use_ipv4_mapped_ipv6=false

# Country
# ssl.default.c=GB
# Common Name/domain name
# ssl.default.cn=
# Organization
# ssl.default.o=
# Organizational Unit
# ssl.default.ou=

[logging]
default.filename=@DIONAEA_LOGDIR@/dionaea.log
default.levels=all
default.domains=*

errors.filename=@DIONAEA_LOGDIR@/dionaea-errors.log
errors.levels=warning,error
errors.domains=*

[processor.filter_emu]
name=filter
config.allow.0.protocols=smbd,epmapper,nfqmirrord,mssqld
next=emu

[processor.filter_streamdumper]
name=filter
config.allow.0.types=accept
config.allow.1.types=connect
config.allow.1.protocols=ftpctrl
config.deny.0.protocols=ftpdata,ftpdatacon,xmppclient
next=streamdumper

[processor.streamdumper]
name=streamdumper
config.path=@DIONAEA_STATEDIR@/bistreams/%Y-%m-%d/

[processor.emu]
name=emu
config.limits.files=3
#512 * 1024
config.limits.filesize=524288
config.limits.sockets=3
config.limits.sustain=120
config.limits.idle=30
config.limits.listen=30
config.limits.cpu=120
#// 1024 * 1024 * 1024
config.limits.steps=1073741824

[module.nfq]
queue=2

[module.nl]
# set to yes in case you are interested in the mac address  of the remote (only works for lan)
lookup_ethernet_addr=no

[module.python]
imports=dionaea.log,dionaea.services,dionaea.ihandlers
sys_paths=default
service_configs=@DIONAEA_CONFDIR@/services-enabled/*.yaml
ihandler_configs=@DIONAEA_CONFDIR@/ihandlers-enabled/*.yaml

[module.pcap]
any.interface=any

dionaea

download.dir

Global download directory used by some ihandlers.

listen.mode:

There are basically three modes how dionaea can bind the services to IP addresses.

  • getifaddrs - auto
    This will get a list of all IP addresses of all available interfaces and bind the services to each IP. It is also possible to specify a list of interfaces to use by using the listen.interfaces parameter.
  • manual - your decision
    In this mode you have to specify an additional parameter listen.addresses. This is a comma separated list of IP addresses dionaea should bind the services to.
  • nl, will require a list of interfaces
    You have to specify a comma separated list of interfaces names with the listen.interfaces parameter. If an IP address is added to an interfaces or removed from an interface dionaea will lunch or stop all services for this IP.

modules

Comma separated list of modules.

processors

Comma separated list of processors.

ssl.default.c

Two letter id of the Country.

ssl.default.cn

The Common Name/domain name of the generated SSL/TLS certificate.

ssl.default.o

The Organization name.

ssl.default.ou

The name of the Organizational Unit.

Logging

dionaea has a general application log. This logs are ment to be used for debugging and to track errors. It is not recommended to analyse this files to track attacks.

filename

The filename of the logfile.

levels

Only log messages that match the specified log level get logged to the logfile.

Available log levels:

  • debug
  • info
  • warning
  • error
  • critical
  • all = Special log level including all log levels

Examples:

Log only messages with level warning and error

errors.levels=warning,error

Log all log messages but exclude messages with log level debug

errors.levels=all,-debug

domain

Only log messages in a specified domain.

Modules

Only modules specified by the modules value in the dionaea section are loaded during the start up.

Every module might have its own config section with additional config parameters. The section name consists of the prefix module and the module name speratated by a dot(.).

See the Modules documentation to find more information on how to configure the modules.

Processors

The specified processors will be used as an entry point in the processing pipeline. In most cases the initial processor will be a filter processor <processor/filter>. The next processor in the pipeline is specified by the next parameter.

See the Processors documentation to find more information on how to configure the processors.