3 comments on “dionaea-mysql.py.diff: Patch for dionaea to capture cna12 MySQL binaries

  1. Pingback: Capturing the cna12 MySQL Attacks with Dionaea | Malware Musings

    • Hi Marcelo,

      Thanks for highlighting this and apologies for the delay, but I’d over estimated the complexity of the problem and the amount of work involved and hence the amount of time required to fix it.

      I’d assumed that the Dionaea code had changed and that I needed to find some time to go through and update my changes, when in fact my original copy of the patch still works with the latest Dionaea code.

      Yesterday, I went back to trying to get my HoneyDrive3 installation to a point where I can use it to replace my existing honeypot set-up, and naturally wanted to modify the Dionaea installation there-on to capture these MySQL attacks. So I thought that that would be a good time to test this patch.

      You’re right. A simple copy and paste version of the patch from my blog page will fail to apply. There are two reasons. One, there is a missing blank line around line 85, for some reason. Two, a copy and paste means that you end up with a series of spaces where there once were tabs.

      I’ve updated the copy on my blog page to include the blank line, so it is now a correctly formatted patch at least. However, the second problem still remains. You can get around this by using the ‘-l’ option when running ‘patch’. The ‘-l’ (lower case letter) option tells ‘patch’ to ignore differences in white space.

      However, I’d rather have a way for readers to get a byte-for-byte copy of scripts/patches as I’ve written them, rather than as they end up after being copied and pasted. Especially when indentation (leading white space) matters when it comes to Python scripts.

      So, I have created a sub-page of this one which simply contains a base64 encoded version of the patch shown on this page. You can copy and paste the base64 version, and then simply decode it using any of the base64 decoding utilities (‘openssl’ and ‘uudeview’ for instance).

      Unfortunately, if you’re using Windows, you may be a bit pushed for native base64 decoding utilities, although a quick Internet search shows a number of downloadable ones. I’ve also just thrown together a Python script (http://malwaremusings.com/supporting-files/b64decode-py/) which will do base64 decoding. Base64 encoding that will create a chicken-and-egg type situation though.

      Musingly,
      Karl.

Leave a Reply