Use dionaea to capture attacks against TR-069 Part 2

Dionaea can now handle very basic SOAP requests and analyse attacks against TR-069.

In the article 'Use dionaea to capture attacks against TR-069' published a few hours ago I have demonstrated how to use the blackhole service to capture attacks against the TR-069 service. After this article the http service of dionaea has been improved to also handle basic SOAP requests. This allows dionaea to analyse the data submitted, extract the included download commands and report incidents including the URLs to download additional files.

To test new code you have to use the latest master branch from the git repository and add a new config file. Copy the http.yaml in the services-enabled directory and name the new file tr-069.yaml. After you have copyed the file, just edit the new file and change/add the following parameters to enable a webserver with soap handling on port 7547.

- name: http
  config:
    ...
    port: 7547
    ...
    soap_enabled: true
    ...

Looks like most of the mirrors are down or the hosted maleware has been removed.

Links

Related articles