Thursday, May 13, 2010

Dionaea new XMPP features - sample live sharing

As committed by Markus today, the Dionaea XMPP has added a new feature : Sample Live Sharing. Previously, the purpose of the XMPP implementation in Dionaea wish to create the distributed network and setup for the captured data. Multiple parties can run Dionaea sensor and multiple parties can run the backend for specified purpose such as data logging, data analysis, data collection and etc.

For me, the new "Sample Live Sharing" feature will be a cool idea to go. Usually single sensor captures the malware piece if the attack has triggered. Yet the amount of the capture is limited and the capture has bounded to a small scale network. For research or education purpose, distributed sample sharing network will be a great boast and a huge collection of sample can be obtained. This new features has fit the purpose.

Every sensor that joins the xmpp channel will shares its captured sample with others. The file will be streamed to the channel and other sensors may download it and store in their own local machine. There is no any central repository for the malware storage as all sample sharing is a live stream. once the sample has downloaded to the sensor's machine, further process can be executed such as send to Sandbox for further analysis

To get my feet wet with the feature, I connected my xmpp client Psi to Dionaea XMPP Server sensors.carnivore.it.

Psi setting


Psi connect to XMPP server successfully

Service Discovery to find the Chatrooms. We can see how many sensor and non-sensor client such as Psi that connected to the server.

Alternative way to join the GroupChat by configuration. The setting below is to join the anon-files groupchat(channel)

Ideally if any Dionaea sensor has joined the channel, it will download the shared sample by live stream. But I get my non-Dionaea xmpp client Psi to join the channel, any sample sharing will be represented in base64 format data.

The screenshot here show a live sharing sample. The AAAAAAA buffer is the exploit code for certain buffer overflow.

As the sensor will join the channel in visitor role, the message that has sent to the server will not relay to own sensor for the bandwidth saving purpose. To see further data, we can use the XML console that provided by Psi.

2 comments:

  1. Markus suggested not to use any IM client since we can simply look at the verbose log instead (newly commit, just git pull)

    http://elhilal.blogspot.com/2010/05/sqlite-and-dionaea-markus-that-in-order.html

    Are you in UTM Skudai?

    ReplyDelete
  2. Hi najmi, thank for the info. I will check on it.

    Ya. I at UTM Skudai.

    ReplyDelete