dionaea icon indicating copy to clipboard operation
dionaea copied to clipboard

Published 20 hours ago verified publisher icon DinoTools

Empty attacker IP and port 0 with ftpdatalisten protocol

Open Larrax opened this issue 3 years ago • 1 comments

ISSUE TYPE Question

DIONAEA VERSION 0.11.0

OS / ENVIRONMENT Debian 10

SUMMARY Hi, I have some very basic questions. We are running some Dionaea honeypots and consuming the data through hpfeeds. Analyzing the data, I noticed about ~50% of all events with application protocol "ftpdatalisten" have attacker IP as an empty string and source port 0. I have two questions related to this.

  • Is this an expected behavior? (IMHO, at least port 0 seems like corrupted data, not a legit port number. Why not send None instead?)
  • What is the meaning of such an event in the context of this "ftpdatalisten" protocol?

Thanks. Looking forward to your replies.

STEPS TO REPRODUCE Install dionaea from source Run dionaea Observe events with "ftpdatalisten" protocol

EXPECTED RESULTS All events have legit attacker IP and port.

Larrax avatar Apr 23 '21 14:04 Larrax

Thanks for opening your first issue here! Be sure to follow the issue template!

welcome[bot] avatar Apr 23 '21 14:04 welcome[bot]