Amun was the first python-based low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance.
- Pyhon >= 2.6 (no Python3 support yet)
- (optional) Python Psyco (available at http://psyco.sourceforge.net/)
- (optional) MySQLdb if submit-mysql or log-mysql is used
- (optional) psycopg2 if log-surfnet is used
- Clone Git repository:
git clone https://github.com/zeroq/amun.git
- Edit Amun main configuration file:
vim conf/amun.conf
- for example set the ip address for Amun to listen on (0.0.0.0 to listen on all)
- enable or disbale vulnerability modules as needed
- start the Amun by issuing:
./amun_server
In case you encounter problems with too many open files due to a lot of attackers hitting your honeypot at the same time, the following settings can be adjusted:
- To increase the maximum number of open files on Linux:
echo "104854" > /proc/sys/fs/file-max
ulimit -Hn 104854
ulimit -n 104854
- To increase the maximum number of open files on BSD:
sysctl kern.maxfiles=104854
ulimit -Hn 104854
ulimit -n 104854
All logging information are stored in the "logs" subdirectory of your Amun installation. Following log files will be created:
- amun_server.log
- contains general information, errors, and alive messages of the amun server
- amun_request_handler.log
- contains information about unknown exploits and not matched exploit stages
- analysis.log
- contains information about manual shellcode analysis (performed via the -a option)
- download.log
- contains information about all download modules (ftp, tftp, bindport, etc...)
- exploits.log
- contains information about all exploits that where triggert
- shellcode_manager.log
- contains information and errors of the shellcode manager
- submissions.log
- contains information about unique downloads
- successfull_downloads.log
- contains information about all downloaded malware
- unknown_downloads.log
- contains information about unknown download methods
- vulnerabilities.log
- contains information about certain vulnerability modules
Amun can be executed with -a
parameter to analyse a given file for known shellcode instead of running the honeypot.