Nepenthes is a wonderful tool that is great for collection of various malware nastiness. It’s extremely useful and has provided me a fair share of amusement when I review the logs seeing all the various trash the Internet’s tubes try to dump onto my computer. I love Nepenthes.
Unfortunately for me, Nepenthes also completely sucks.
Nepenthes does some amazing things in the areas of collecting malware, examining payloads, and automatic analysis. However, from a user perspective, it’s a fetid pile of yak’s droppings and an abomination in the sight of God. The software seems to be in a perpetual state of debugging, which, by itself is OK, but it seems to constantly want you to run it from the console. This makes it difficult if you ever want to run it unattended, which in most cases you will want to do considering you’re essentially trawling for malware. Also, the logging facilities also seem to reflect this, as extracting meaningful messages from the log file is pretty close to reading tea leaves.
The thing that really drives me batty is trying to get Nepenthes and Honeyd to work together. The author seems to know that people want to do this and tries to explain what has happened, but provides a next-to-useless explanation and ends it with an update of “The Honeyd guy managed to do this, but I don’t know how.”
I know that almost all open source software is on some level classified as a hobby, but wouldn’t you at least try to make inquiries as to how to make it work, and or adjust the codebases to make this kind of setup easier? Instead, you have people like me who are using duct tape and bailing wire solutions to “fix” the problem, and are unable to recommend the software for use in production environments because of specifically that.
Which is sad, because I love Nepenthes.
Twitter
LinkedIn
Facebook
Flickr
FriendFeed