From Emre´s Wiki

Contents 1 Overview 2 Download 3 Screenshots 4 Installation 5 Available Modules 5.1 asn 5.2 geoip 5.3 bitdefender 5.4 file 5.5 objdump 5.6 strings 5.7 upx 5.8 virustotal 6 Statistics 7 Work in Progress 8 Credits

Overview

NepenthesFE is a web based tool that will help you catalogue malware you have collected with Nepenthes (http://nepenthes.mwcollect.org).

Nepenthes has a submission module that transmits information on attacks and malware to a configurable URL (module "submit-http").

NepenthesFE provides a script that receives this information via HTTP and puts it into a database.

NepenthesFE also has some modules that will add further information to the data that has been received by the honeypot and save it in a database.

Download

NepenthesFE 0.3 is available for download at [1]

Screenshots

There are a couple of Screenshots available:

• Details of an attack
• Details of a binary
• List of attacks
• List of binaries

Installation

Please see NepenthesFE-Installation.

Available Modules

In short, the following modules are currently available.

asn

This module uses the DNS based autonomous system lookup service of the Team Cymru Project (http://www.cymru.com/). If an attack is reported by Nepenthes, this module will lookup the ASN of the attacker ip and add this data to the database.

geoip

This module uses the GeoIP service to determine the geographical location of an attacker by looking up the attackers´s ip address in the GeoIP database.

bitdefender

This module uses the BitDefender AV scanner to locally scan the binary. If the binary is considered malicious, the result will be saved in the database.

file

This modules executes the Unix command "file" to determine the type of the caught binary.

objdump

This modules executes the Unix command "objdump" to retrieve information specific to an executable.

strings

This modules executes the Unix command "strings" to extract the ASCII characters from the binary.

upx

This module executes the Unix command "upx" to determine if the binary has been packed with UPX.

virustotal

This module sends the binary to "scan(at)virustotal.com" for further analysis. The NepenthesFE cron job checks a configured POP3 account for the analysis result from VirusTotal and saves it in the database.

Statistics

It is always nice to see some graphics and statistics.

NepenthesFE has the functionality to create RRD based graphics to show the number of attacks, the number of malware, etc.

Currently the graphics that the tool creates are "buggy".

Anyone who truly understands RRD is welcome to give me a helping hand :)

Work in Progress

There is another module "cwsandbox" that is still to be finished.

Furthermore the localization support is to be finished. If you would like to help in translating the content to other languages, please drop me a mail.

Credits

The button elements used for this webtool were designed by Antonio Orrico (http://www.orricoweb.it) and published under the Creative Commons License (http://creativecommons.org/licenses/by/3.0/).

The function "xml2array" was written by Binny V.A. (http://www.bin-co.com/php/scripts/xml2array/) and published under the BSD License.